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HEALTH MANAGEMENT SYSTEM FOR ROCKET ENGINES 


ABSTRACT 


The functional framework of a failure detection algorithm for the 
Space Shuttle Main Engine (SSME) is developed. The basic algorithm 
is based only on existing SSME measurements. Supplemental 
measurements, expected to enhance failure detection effectiveness, 
are identified. 

To support the algorithm development, a figure of merit is defined 
to estimate the likelihood of SSME criticality 1 failure modes and 
the failure modes are ranked in order of likelihood of occurrence. 
Nine classes of failure detection strategies are evaluated and 
promising features are extracted as the basis for the failure 
detection algorithm. 

The failure detection algorithm provides early warning capabilities 
for a wide variety of SSME failure modes. Preliminary algorithm 
evaluation, using data from three SSME failures representing three 
different failure types, demonstrated indications of imminent 
catastrophic failure well in advance of redline cutoff in all three 
cases. 




SECTION 1 - INTRODUCTION 


Currently rocket engine protection consists of a redline system that 
issues an engine cutoff if a measured value exceeds a pre-determined 
operation limit for any of several parameters. For the SSME, seven key 
engine parameters are monitored during mainstage and their limits are set 
at levels above which safe engine operation is impaired. Reliance on this 
system alone, however, has led to premature engine cutoff caused by 
combinations of normal excursions and engine-to-engine (and even test- 
to-test) variations of the redline parameters. Moreover, during 
developmental and operational firings, over forty severe failures have 
resulted in extensive damage to the engine and components even though 
the engine was being monitored with the redline system. 

During a SSME ground test, about 500 measurements are normally recorded 
in addition to visual coverage such as film, video and crew observation. 
The measurement system acquires data on critical parameters such as 
pressures, temperatures, flowrates, rotational speeds, valve positions, 
etc., that reflect internal engine performance. Monitoring of some of 
these additional parameters using techniques more advanced than standard 
redlines is expected to provide more complete failure coverage for the 
engine and enable earlier failure detection. The System for Anomaly and 
Failure Detection (SAFD) is one such system being developed (ref. 1&2). It 
increases engine protection by monitoring a relatively large number of 
parameters (23), placing fairly tight tolerance bands around nominal 
values and/or a measured average for each parameter, and issuing a cutoff 
if a predetermined number of parameters exceed their tolerance bands 
(e.g. four anomalous sensors might be required for cutoff). 

The goal of this program is to further enhance safety monitoring through 
development of an advanced framework for a failure detection system. The 
health management system for rocket engines (HMSRE) framework is the 
result of this effort. 

A key feature of the failure detection strategy for the HMSRE framework 
is the determination of overall engine health from calculated engine level 
anomaly parameters. These parameters are a combination of individual, 
weighted sensor deviations correlated to provide either an overall 
anomaly value or indications of a specific degradation (e.g. loss of HP FT 
efficiency). This approach is in marked contrast to existing failure 
detection schemes which rely on definition of anomalies for individual 
parameters. Definition of engine level parameters allows the HMSRE to 
detect a wide variety of early failure indications, all of them applicable 
to the SSME. For example, the first indication of a failure may be a large 
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deviation in only a few sensors or it may be subtle changes in a relatively 
large number of sensors. Since the HMSRE is not dependent on individual 
sensor anomalies, a group of subtle changes is as detectable as a few 
major deviations, even if some of the parameters never deviate enough to 
be considered "anomalous". This capability is especially attractive for 
relatively slow failures in which many parameters generally drift off 
nominal. Slow failures are of particular interest in this program since 
early detection of these failures is expected to significantly reduce the 
ensuing damage. 

The HMSRE framework consists of engine level anomaly parameter 
algorithms working in parallel with the current redline, FASCOS, and SAFD 
systems to further extend SSME failure coverage and provide even earlier 
detection for many failures. The HMSRE complements existing systems by 
providing sensitivity to a wider variety of failure indications. For 
example, redlines are sensitive to failures indicated by a large change in a 
single parameter, SAFD reacts to failures resulting in smaller, but 

significant changes in several parameters, FASCOS (or RASCOS) detects 
abnormally high turbopump vibrations, and HMSRE is sensitive to failures 
indicated by weighted combinations of multiple sensor deviations - 
making HMSRE sensitive to subtle changes in a moderate number of 

parameters or large changes in only a few. Each system provides some 
unique advantages to the overall engine protection scheme, but a large 
degree of overlap also exists. Therefore, in addition to providing 

increased sensitivity to a wide range of early failure signatures, the 
overall observability of the system is increased. The SSME measurements 
used by each system and the basic failure detection strategies are 
represented in Figure 1-1 which shows the overall SSME protection 
strategy. 

While each of these approaches offers some advantages and will provide 
the earliest indication for some failures, the system defined by the 
HMSRE framework provides the greatest overall utility in both failure 

coverage and earliness of detection. 


2 



ENGINE SAFETY MONITORING PARAMETERS 
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FIGURE 1-1 EXTENDED FAILURE COVERAGE WITH MULTIPLE SYSTEMS 




SECTION 2 - PROGRAM OVERVIEW 

The purpose of this program was to synthesize a framework, or conceptual 
structure, for a health management system for rocket engines (HMSRE) and 
develop a plan for a breadboard implementation of the HMSRE. It is based 
on existing and/or near term technologies to enable ground testing within 
five years. Although the HMSRE will be used initially to support SSME 
ground tests, the design of the system does not preclude eventual 
utilization on SSME flights. 

The program was divided into 4 tasks: 

Task 1: Identification of Failure Modes, 

Task 2: Methods to Detect and Minimize Damage, 

Task 3: Framework for Health Management, and 
Task 4: Plan for Breadboard Implementation. 

In Task 1, the SSME failure modes and effects analysis (FMEA) and failure 
history were reviewed to identify critical SSME failure modes. A figure 
of merit (F.O.M.) was established and used to quantitatively rank the 
failure modes. Sensors expected, or observed in the failure history, to 
indicate each of the 45 highest ranked failure modes were identified. 

In Task 2, damage minimization methods (compatible with the Block-ll 
SSMEC) were evaluated. Failure detection methods, that address the types 
of failures identified in Task 1, were evaluated to characterize near term 
applicability to the SSME and general effectiveness of each. 

Task 3 combined promising elements of the failure detection methods, 
evaluated in Task 2, and synthesized an HMSRE framework. The 
effectiveness of the framework was evaluated against current detection 
systems. In addition, a basic algorithm was coded and the conceptual 
HMSRE strategy was demonstrated for three SSME failures. 

Finally, Task 4 generated an implementation plan for the development of 
the proposed HMSRE framework. 
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SECTION 3 - RANKING AND CHARACTERIZATION OF SSME FAILURE 
MODES 

The effort described in this section consists of evaluation of potential 
SSME failure modes and identification of those failure modes most likely 
to occur. The SSME failure modes were ranked and characterized to (1) 
assist in definition of HMSRE system requirements and limitations and 
(2) to serve as a database for the development of failure detection 
techniques and system frameworks. 

3.1 QUALITATIVE RANKING OF FAILURE MODES 

The goal of this task is to qualitatively rank the SSME failure modes 
according to relative risk to the engine. 

The critical failure modes of the SSME have been assessed previously (ref. 
3) based on a review of the revised SSME Failure Modes and Effects 
Analysis and Critical Items List (FMEA/CIL), performed in 1987 and issued 
on 10/23/87. This assessment, the Critical Item Ordinal Ranking of the 
SSME (CIOR-SSME), was performed using NASA instructions which were to 
be applied to the entire NSTS on a uniform basis. The assessment used a 
subjective categorization procedure which yielded an ordinal ranking cf 
all Critical Items. 

The failure mode information collected for the ordinal ranking study was 
deemed a suitable database for the HMSRE quantitative ranking of failure 
modes. 

Review of the data contained within the ordinal ranking study resulted in 
the following decisions: (1) determine a methodology which can resu't in 

a cardinal ranking of the failure modes in order to establish their relative 
magnitude of importance; (2) employ Quantitative Probabilistic Risk 
Assessment (QRA or PRA) methods using the already existing subjective 
assessment results as inputs; and (3) only the criticality 1 , loss of 
vehicle, failure modes were to be considered. 


FIGURE OF MERIT PROCESS (FOM) 

The FOM process uses a probabilistic approach with expert judgments as 
inputs. This is in the line of Bayesian reasoning which is extensively used 
in QRA. In Bayesian reasoning, probabilities are associated with 
individual events and not merely sequences of events. Since probabilities 
of failure modes are not known, they are substituted by subjective 
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estimates of the likelihood of occurrence. The probability of a worst case 
event to occur is divided into three probability parts which, in turn, are 
determined by aggregation of attributes. The attributes are the products 
of weighting factors, and of discrete factors (1 or 0) which express the 
existence or non-existence of the attributes. The weighting factors were 
determined by a survey of expert opinions from SSME test operations, 
SSME systems engineering, SSME controls and monitoring). The discrete 
attribute factors were obtained from the CIOR-SSME. The probabilities 
were normalized and combined to produce a single value as discussed in 
the next sections. 

All Criticality 1 events were subjected to this subjective probability 
calculation and ranked according to their risk (highest risk equals highest 
rank). 


EVENT TREE 

Any quantitative method of determining risk is based on the usual 
engineering definition of risk as the product of failure probability and 
failure consequence. Since most of the CIL events (i.e., 310 out of over 
400) had "engine and vehicle loss" as the worst consequence, the analysis 
was restricted to these worst cases. Therefore, the consequence for each 
event is the same; and the risk quantification reduces to a probability 
quantification. 

In order to aid the visualization of the probabilistic approach, an event 
tree for SSME Criticality 1 failures was constructed (Figure 3-1). This 
event tree is similar to those extensively used at Rocketdyne for nuclear 
reactor safety analyses. The event tree in Figure 3-1 shows the 

propagation of failure events which is necessary to lead to the 

consequence listed in the right column. During normal operation, a 
probability of Pb exists that an initiating event occurs. Given an 

initiating event occurs, a probability Pc exists that the initiating event 
progresses to the worst case, barring protection by design measures. 
Given the initiating event occurs and propagation to worst case has 

started, a probability Pd exists that protection measures fail. The 

overall, or aggregated, probability for the worst case scenario is 
therefore the product of the first probability, Pg, and the conditional 
probabilities Pc and Pd. 
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The three probability elements are determined from subjective judgments 
and actual experience. This is discussed in the following paragraphs. 

RRQBABILITY OF INITIA TING EVENT 

Figure 3-2 depicts how the individual subjective judgments and test 
history are combined using a "probabilistic tree" (similar to a fault tree). 
The top two branches are the inherent probability that the initiating event 
occurs (PBi). made up of "design confidence" and "failure observation", and 
the probability that the initiating event is not detected during inspection 
(PBd)- PBi is determined by the probability that there is insufficient 

design confidence (weighted once) or there have been failures observed 
(weighted twice), given that there is no testing/inspection on an as- 
needed basis. Inspections are conservatively estimated to sucessfully 

identify 10% of initiating events, therefore, PBd equals 1.0 if no 

inspections are performed and 0.9 if appropriate inspections are 
implemeted. The overall probability of an initiating event occuring during 
a hot-fire test is the product of PBi and PBd. 

All probability attributes were first weighted (W n ) and then multiplied by 
a discrete factor, Bp, noting that they either exist (Bp=1) or do not exist 
(Bp«0). The weighting factors are to be understood as "allocated 
probability weights , as determined by an expert opinion survey of six 
Rocketdyne engineering specialists. 

The factors Bp and Dio were obtained from the previously cited CIRA 
document. All discrete factors for the 310 failure modes ranked highest 
in the CIRA document are summarized in binary form. The top 37 are 
shown in Figure 3-3. The five attributes for "insufficient design 
confidence" are all possible; therefore, that part of the probability Pb was 
normalized by dividing by the sum of the weights. The three attributes for 
"failure observed" are mutually exclusive; therefore, this part of Pb was 
normalized to a range of 0 to 1 by dividing the weighted sum (which only 
includes one of the three possible scenarios) by the maximum possible 
weight. Therefore, the worst case scenario (B8) is normalized to 1 .0 
while the other scenarios represent 'ess risk and have correspondingly 
lower, weighted values. 
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PROBABILITY OF EVENT PROPAGATION 


Figure 3-4 presents the probability tree for event propagation to worst 
case. The two branches of the probability that the event propagates to the 
worst case (Pc) consists of the existence of propagation factors 
(weighted once), combined by an "or" with the existence of a failure 
history (weighted twice). Again, the allocated probability weights were 
determined by expert opinion, and the discrete C-factors were those 
contained in the binary summary. Normalization was obtained by dividing 
by the sum of weights for propagation factors, and by the maximum 
weight for the mutually exclusive failure history attributes. The 
maximum possible value for Pc is 1.0; the minimum value is 0. 
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FIGURE 3-2 PROBABILITY TREE FOR INITIATING EVENT 
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FIGURE 3-3 DISCRETE EVALUATION FACTORS 
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FIGURE 3-4 PROBABILITY TREE FOR EVENT PROROGATION 



PROBABILITY OF PROTECTION FAILURE 


Figure 3-5 shows the probability tree for protection failure. The two 
branches of the probability that faiiure occurs due to lack of protection 
(PD) consist of the fact that no redundancy exists and that no redline 
parameter is measured. The two facts exacerbate each other and are 
therefore combined multiplicatively. The attributes of no redundancy are 
listed in ascending order of their potential contribution to a failure. 
These attributes are mutually exclusive within the design approach of the 
SSME. The magnitude of their weights was determined by considering that 
simple hardware, software or functional redundancy decreases failure 
probabilities by one or two orders of magnitude. Redundancies were 
considered to be a more effective protection device than redlines. The 
maximum possible value for Pd is 1.0; the minimum value is 1x10 Only 
45 failure modes fall into the category where the failure probability is 
mitigated by either redundancy or redline parameters. 


RESULTS OF FAILURE MODE RANKING BY FQM 

The three probabilities were combined multiplicatively, as indicated in 
Figure 3-1. An example of the FOM methodology is shown in Figure 3-6. 
The top part of Figure 3-6 indicates data for CIL number A1 50-01. The 
numerical results of the three equations for Pb, PC and Pd were 
multiplied and gave 0.713 for overall normalized failure probability. This 
represents the failure mode with the highest criticality as defined by the 
F.O.M. process. Attachment 1 presents the ranking results of all 310 
criticality 1 failure modes. The failure modes, and corresponding rank, are 
shown for each LRU in Attachment 2. 
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FIGURE 3-5 PROBABILITY TREE FOR EVENT PROTECTION 




CIL NUMBER : A1 50-01 

LRU : HEAT EXCHANGER 

FAILURE MODE : COIL FRACTURE/LEAKAGE 

FAILURE CONSEQUENCE : LOSS OF VEHICLE 

FROM SSME CRITICAL ITEM RANKING REPORT (RSS-8790, 3/25/88): 
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FIGURE 3-6 EXAMPLE OF F.O.M. METHODOLOGY 



Due to rounding of numbers, the highest ranked failure mode listed in 
Attachments 1 and 2 has a slightly different probability estimate (0.695) 
compared to that of the example in Figure 3-6 (0.714). 

In the final ranking list (Attachment 1), the 40 highest ranked failure 
modes using the FOM procedure include the 20 highest CIRA-ranked failure 
modes; however, in a different order. 


3.2 CHARACTERIZATION OF HIGHEST RANKED FAILURE MODES 

The 45 highest ranked (most likely) failure modes were selected to 
represent the failure scenarios expected on the SSME. These failure 
modes were characterized to provide a database of failure indications for 
subsequent detection method and framework efforts. 

Each failure mode was characterized by identifying 1) possible causes, 
2) possible effects, 3) correlated test cases, and 4) available sensors 
expected to indicate the failure. Possible causes for each failure mode 

were identified in the SSME FMEA/CIL documentation. Possible effects 
were determined through the SSME FMEA/CIL and consultation with SSME 
test operations and system engineers. SSME incident test cases were 
correlated to specific failure modes on the basis of failure indication 
(rather than root cause). For example: Failure A340-02 is a nozzle fuel 

leak, a failure that in many cases results from an earlier failure. A test 
case is considered correlated to this failure mode if a nozzle leak occurs 
at any point during the failure sequence. This is appropriate since the 
purpose of the effort is to characterize observable anomalies that 
indicate a failure, regardless of the cause. Finally, by examining 
correlated test cases and through consultation with SSME test operations 
personnel, available sensors expected to provide failure indications were 
identified. The results of this effort are summarized in Attachment 3 for 
each failure mode. Summaries of each test case can be found in the SAFD 
Phase I Report (ref. 1). 


3.3 IDENTIFICATION OF HIGH PAYOFF FAILURE MODES 

The 45 most likely failure modes (as determined by the figure of merit 
process) were evaluated on the basis of detectability and damage 
minimization potential. The objective of the failure mode classification 
was to systematically evaluate the most likely, critical failure modes 
(identified in Task 1) to determine which of those, if addressed as part of 
the HMSRE, had the highest potential for improving engine protection. 


16 


The methodology used for the failure mode classification is shown in 
Figure 3-7. Thiee key issues influencing the effectiveness of HMSRE 
implementation were addressed: 1) detectability (Phase I), availability of 
detailed failure signatures (Phase II), and effectiveness of current 
detection systems (Phase III). 

Phase I - Failure Mode Detectability 

The primary goal for phase I was to determine which of the 45 highest 
ranked failure modes were likely to provide early failure indications. The 
rationale behind the phase I sort is that failure modes with no detectable, 
early failure indications (anomalies) provide no basis for early detection. 

The possibility of early indications was determined using two 
complementary sources of data: 1) detailed evaluation of the available 

test history, and 2) an assessment of each failure mode’s propagation 
scenario by SSMF test operations personnel. 

Based on the investigation results, the failure modes were grouped 
according to the likelihood of detectable, early indications and the 
availability of related test histories. The failure modes were placed into 
one of four categories: 

1. failure modes with expected anomalies and no related test history. 

2. failure modes with expected anomalies and related test history. 

3. failure modes with no expected anomalies and a related test history. 

4. failure modes with no expected anomalies and no related test history. 

Those failure modes judged to provide no early failure indications and 
having no related test history were eliminated from further evaluation. In 
addition, the test data was evaluated for the one failure mode with a test 
history and no expected anomaly (B400-22) and no early warnings were 
identified. Therefore, this test was also eliminated from further 
evaluation. 

The results of the phase I investigation are shown in Table 3.1. Of the 
total 45 failure modes: 13 were in the first category, 17 in the second, 1 
in the third, and 14 in the fourth. 
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TABLE 3.1 FAILURE MODE SORT - ANOMALIES AND TEST HISTORY 


ANOMALIES EXPECTED, NO TEST HISTORY 


tank 

LRU-FM 

Component 

Failure Mode 

■a 

B600-06 

LPFTP 

FUEL LEAKAGE PAST LIFT-OFF SEAL 

mt 

B400-03 

HPOTP 

TURBINE BLADE STRUCTURAL FAILURE. 

15 

A330-02 

MCC 

FUEL LEAKS INTO THE CLOSED CAVITY (LINER & JACKET) 

16 

K1 03-01 

LPFTP DUCT 

FAILS TO CONTAIN HYDROGEN 

18 

D300-01 

ANTI-FLOOD VLV 

LEAKAGE DURING PROPELLANT CONDITIONING. 

20 

B800-06 

LPOTP 

LOSS OF SUPPORT AND POSITION CONTROL. 

22 

E150-14 

CCV ACT. 

SEQUENCE VALVE LEAKS - CNTRL PRESSURANT DOWNSTREAM 

24 

B400-23 

HPOTP 

TURBINE PIECE PART STRUCTURAL FAILURE 

27 

K203-01 

OX BLD FLX LIN 

FAILS TO CONTAIN OXIDIZER. 

39 

D300-03 

ANTI-FLOOD VL\ 

LOW FLOW RESTRICTED OR SHUT OFF. 

40 

A700-02 

OPB 

LOSS OF FUEL TO ASI. 

43 

B400-18 

HPOTP 

LOSS OF COOLANT TO BEARINGS. 

45 

B200-23 

HPFTP 

LOSS OF BALANCING CAPABILITY. 


ANOMALIES EXPECTED, RELATED TEST HISTORY 



LRU-FM 

Component 

Failure Mode 

■n 

A1 50-01 

HEX 

COIL FRACTURE/LEAKAGE. 

2 

C200-1 1 

PCA 

FAILURE TO SUPPLY HELIUM PRESSURANT. 

3 

B200-04 

HPFTP 

STRUCTURAL FAILURE OF TURBINE BLADES. 

4 

A340-02 

NOZZLE 

EXTERNAL RUPTURE. 

5 

Dll 0-01 

MFV 

INTERNAL LEAKAGE. 

6 

A600-04 

FPB 

NON-UNIFORMITY OF FUEL FLOW IN THE INJECTION ELEMENT 

7 

B200-15 

HPFTP 

LOSS OF SUPPORT OR POSITION CONTROL. 

8 

A200-06 

MAIN INJ 

LOX POST CRACK. 

11 

B400-14 

HPOTP 

LOSS OF AXIAL BALANCING FORCE. 

12 

B400-07 

HPOTP 

FAILURE TO TRANSMIT TORQUE. 

13 

A200-09 

MAIN INJ 

INTERPROPELLANT PLATE CRACKS. 

25 

A330-03 

MCC 

INTERNAL RUPTURE AT THE MCC NOZZLE INTERFACE. 

32 

C200-07 

PCA 

INSUFFICIENT OR NO NITROGEN PURGE FLOW 

36 

B400-13 

HPOTP 

LOSS OF SUPPORT, POSITION CONTROL, ROTORDYNAMIC STABILITY 

37 

B200-07 

HPFTP 

TURBINE DISCHARGE FLOW BLOCKAGE. 

41 

B200-16 

HPFTP 

LOSS OF COOLANT FLOW TO TURBINE BEARINGS. 

42 

B200-17 

HPFTP 

LOSS OF COOLANT FLOW TO TURBINE DISCS. 


NO ANOMALIES EXPECTED. RELATED TEST HISTORY 



LRU-FM 

Component 

Failure Mode 

□3 

B400-22 

HPOTP 

PUMP PIECE PART STRUCTURAL FAILURE. 


NO ANOI 

MALIES EXPECTED, NO TEST HISTORY 

Rnk 

LRU-FM 

Component 

Failure Mode 

17 

D500-06I 

GOX CNTL VLV 

MAINTAIN STRUCTURAL INTEGRITY. 

19 

K1 06-02 

HP FUEL DUCT 

FAILS TO CONTAIN HYDROGEN 

21 

A200-07 

MAIN INJ 

EXTERNAL RUPTURE. 

23 

D220-06 

OX BLD VLV 

FRETTING OF INTERNAL PARTS. 

26 

B200-26 

HPFTP 

STRUCTURAL FAILURE. 

28 

D 120-05 

MOV 

PIECE PART STRUCTURAL FAILURE. 

29 

A050-02 

POWERHEAD 

SHELL OR PROPELLANT DUCT RUPTURE. 

30 

A600-11 

FPB 

EXTERNAL RUPTURE. 

31 

D 120-04 

MOV 

STRUCTURAL FAILURE. 

33 

A200-05I 

MAIN INJ 

PARTIAL BLOCKAGE OF AN OXIDIZER ORIFICE. 

34 

D130-03 

FPOV 

SHAFT SEAL LEAK. 

35 

D1 20-06 

MOV 

FREETING OF INTERNAL PARTS. 

38 

B400-20 

HPOTP 

LOSS OF COOLANT TO 1st & 2nd STAGE TURBINE COMPONENTS. 

44 

B200-24 

HPFTP 

FAILURE TO RESTRAIN SHAFT MOVEMENT at TURBOPUMP STARTUP 
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Phase II - Availability of Detailed Failure Signatures 

The goal of Phase II was to determine which of the 45 highest ranked 
failure modes had correlated test data that could be used for development 
of HMSRE algorithms. Correlated test data enables detailed failure 
signatures to be identified for the associated failure mode and increases 
the likelihood of successful algorithm development. 

Only those failure modes with an expected anomaly were evaluated during 
Phase II. (The possibility of a failure mode with no expected anomaly 
actually having an indication in the test data was considered but was not 
observed.) The failure modes were classified into two categories: 

Test Class A - Failure modes for which an anomaly was 

expected and correlated test data was identified. 

Test Class B - Failure modes for which an anomaly was 

expected but no correlated test data could be 
identified. 

The failure modes which had no related test history identified in Phase I 
were automatically classified as Class B failure modes. Those which had 
a related test history were evaluated to determine if the failure history 
provided sufficient data to characterize the failure signature of the 
associated failure mode. If sufficient data seemed to exist, the failure 
mode was designated Class A. Otherwise, it was designated as a Class B 
failure mode. 

The results of the Phase II investigation are shown in Table 3.2. Of the 30 
failure modes, correlated hot-fire test data was available for 11. 


Phase III - Effectiveness of Current Detection Systems 

The goal of Phase III was to estimate the effectiveness of existing 
detection systems for detection and minimization of engine damage for 
the failure modes under consideration. This factor enables the payoff of 
HMSRE implementation to be estimated for each failure mode. In other 
words, the greatest payoff will be achieved with an HMSRE that addresses 
failure modes which are not adequately detectable with existing systems. 
Little benefit is realized with detection of failure modes adequately 
protected against with existing systems. 
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TABLE 3.2 FAILURE MODE SORT - CORRELATED TEST DATA 


TEST CLASS A: CORRELATED TEST DATA 


[Rnk 

LRU-FM 

Component 

Failure Mode 


A1 50-01 

HEX 

COIL FRACTURE/LEAKAGE. 


B200-04 

HPFTP 

STRUCTURAL FAILURE OF TURBINE BLADES 


A340-02 

NOZZLE 

EXTERNAL RUPTURE. 


Dll 0-01 

MFV 

INTERNAL LEAKAGE. 


A600-04 

FPB 

NON-UNIFORMITY OF FUEL FLOW IN THE INJECTION ELEMENT 

8 

A200-06 

MAIN INJ 

LOX POST CRACK. 

13 

A200-09 

MAIN INJ 

INTERPROPELLANT PLATE CRACKS. 

36 

B400-13 

HPOTP 

LOSS OF SUPPORT, POSITION CONTROL ROTORDYNAMIC STABILITY 

37 

B200-07 

HPFTP 

TURBINE DISCHARGE FLOW BLOCKAGE. 

41 

B200-16 

HPFTP 

LOSS OF COOLANT FLOW TO TURBINE BEARINGS. 

42 

B200-17 

HPFTP 

LOSS OF COOLANT FLOW TO TURBINE DISCS. 


TEST CLASS B: NO CORRELATED TEST DATA 


tSliB 

LRU-FM 

Component 

Failure Mode 


C200-1 1 

PCA 

FAILURE TO SUPPLY HELIUM PRESSURANT. 

7 

B200-15 

HPFTP 

LOSS OF SUPPORT OR POSITION CONTROL. 

9 

B600-06 

LPFTP 

FUEL LEAKAGE PAST LIFT-OFF SEAL. 

10 

B400-03 

HPOTP 

TURBINE BLADE STRUCTURAL FAILURE. 

11 

B400-14 

HPOTP 

LOSS OF AXIAL BALANCING FORCE. 

12 

B400-07 

HPOTP 

FAILURE TO TRANSMIT TORQUE. 

15 

A330-02 

MCC 

FUEL LEAKS INTO THE CLOSED CAVITY (LINER & JACKET) 

16 

K1 03-01 

LPFTP DUCT 

FAILS TO CONTAIN HYDROGEN 

18 

D300-01 

ANTI-FLOOD VL\ 

LEAKAGE DURING PROPELLANT CONDmONING. 

20 

B800-06 

LPOTP 

LOSS OF SUPPORT AND POSITION CONTROL. 

22 

E150-14 

CCV ACT. 

SEQUENCE VALVE LEAKS - CNTRL PRESSURANT DOWNSTREAM 

24 

B400-23 

HPOTP 

TURBINE PIECE PART STRUCTURAL FAILURE 

25 

A330-03 

MCC 

INTERNAL RUPTURE AT THE MCC NOZZLE INTERFACE. 

27 

K203-01 

OX BLD FLX LIN 

FAILS TO CONTAIN OXIDIZER. 

32 

C200-07 

PCA 

INSUFFICIENT OR NO NITROGEN PURGE FLOW 

39 

D300-03 

ANTI-FLOOD VL\ 

LOW FLOW RESTRICTED OR SHUT OFF. 

40 

A700-02 

OPB 

LOSS OF FUEL TO ASI. 

43 

B400-18 

HPOTP 

LOSS OF COOLANT TO BEARINGS. 

45 

B200-23 

HPFTP 

LOSS OF BALANCING CAPABILITY. 


21 










Failure modes contained in test classes A' and B were evaluated to 
determine how effectively they would be detected with existing health 
monitoring and fault detection systems. The systems evaluated were 
redline monitoring, SAFD, and FASCOS. In each case a grade was assigned 
to each failure mode for each of the health monitoring and fault detection 
systems considered. 

Grading was based on the degree of engine damage expected to occur when 
detected by each system, according to the following scale: 

1. Not detectable 

2. Detectable - No Reaction Time 

3. Detectable - Serious Damage (Engine Level) 

4. Detectable - Moderate Damage (Component Level) 

5. Detectable - Minor Damage (Sub-component Level) 

6. Detectable - No Damage 

The results of this evaluation are shown in Table 3.3. The estimated 
effectiveness of SAFD, FASCOS, and redlines are indicated in columns 1, 2, 
and 3. Column 4 indicates the highest level of protection available if all 
of these systems are active. Detection of a failure mode, with the 
detection systems evaluated, was defined to be adequate if at least one of 
the existing systems was expected to detect the failure and cause engine 
shutdown with only minor damage (grade 5). These failure modes were 
classified as Detection Class B failure modes. Otherwise, the failure 
modes were classified as Detection Class A failure modes, indicating that 
the existing detection systems were inadequate for that specific failure 
mode. The Detection Class determined for each failure mode is shown in 
Table 3.3 under the DETECT, heading. Existing failure detection methods 
were estimated to be adequate (B) for 10 of the failure modes. The TEST 
column indicates the test class (see Table 3.2) of each failure mode. 
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Overall Failure Mode Classifications 


The result of the failure mode classification is that each of the 45 most 
likely failure modes that has an expected anomaly is classified into one of 
the four categories defined below: 

Class AA: These failure modes are not adequately protected against with 

existing detection systems. Therefore, HMSRE implementation of a 

detection scheme capable of more rapid detection has the potential for 
significant payoff. In addition, hot-fire test data has been correlated to 
each failure mode enabling greater confidence in detailed signature 
definition and increasing the likelihood of effective algorithm 
development. 

Class AB: These failure modes are not adequately protected against with 
existing detection systems. Therefore, HMSRE implementation of a 

detection scheme capable of more rapid detection has the potential for 
significant payoff. However, no hot-fire test data has been correlated to 
the failure modes; and effective algorithm development is somewhat 
uncertain. 

Class BA: These failure modes are adequately protected against with 

existing detection systems. Therefore, HMSRE implementation of a 

detection scheme capable of more rapid detection has little potential for 
significant payoff. Hot-fire test data has been correlated to each failure 
mode enabling greater confidence in detailed signature definition and 
increasing the likelihood of effective algorithm development. 

Class BB: These failure modes are adequately protected against with 

existing detection systems. Therefore, HMSRE implementation of a 

detection scheme capable of more rapid detection has little potential for 
significant payoff. No hot-fire test data has been correlated to the 
failure modes and effective algorithm development is somewhat 
uncertain. 

The overall classification of each failure mode is shown in Table 3.4. Of 
the 30 failure modes evaluated, 7 were classified as AA, 13 as AB, 4 as 
BA, and 6 as BB. 

The seven failure modes classified as AA were estimated to provide the 
highest likelihood of significant payoff if specific detection methods 
were implemented as part of the HMSRE. These failure modes are: 1) 
fracture and leakage of the heat exchanger coil, 2) structural failure of 
turbine blades in the high pressure fuel turbopump, 3) non-uniform fuel 
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flow in the fuel preburner injection elements, 4) cracking of the LOX posts 
in the main injector, 5) interpropellent plate cracks in the main .injector, 
6) loss of position control in the high pressure oxidizer turbopump, and 7) 
blockage of the high pressure fuel turbine discharge. 
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TABLE 3.4 FAILURE MODE CLASSIFICATION - LIKELIHOOD OF 
EFFECTIVE HMSRE IMPLEMENTATION 


CLASS AA FAILURE MODES 


IE22 

LRU-FV 

Component 

Failure Mode 

i 

A1 50-01 

HEX 

COIL FRACTURE/LEAKAGE. 

3 

B200-04 

HPFTP 

STRUCTURAL FAILURE OF TURBINE BLADES. 

6 

A600-04 

FPB 

NON-UNIFORMITY OF FUEL FLOW IN THE INJECTION ELEMENT 

8 

A200-06 

MAIN INJ 

LOX POST CRACK. 

13 

A200-09 

MAIN INJ 

INTERPROPELLANT PLATE CRACKS. 

36 

B400-13 

HPOTP 

LOSS OF SUPPORT, POSITION CONTROL, ROTORDYNAMIC STABILITY 

37 

FFwffB 

HPFTP 

TURBINE DISCHARGE FLOW BLOCKAGE. 


CLASS AB FAILURE MODES 



LRU-FM 

Component 

Failure Mode 

2 

7 

9 

10 

11 

12 

16 

20 

22 

24 

25 
27 
32 

C200-1 1 
B200-15 
B600-06 
B400-03 
B400-14 
B400-07 
K1 03-01 
B800-06 
E150-14 
B400-23 
A330-03 
K203-01 
C200-07 

PCA 

HPFTP 

LPFTP 

HPOTP 

HPOTP 

HPOTP 

LPFTP DUCT 

LPOTP 

CCV ACT. 

HPOTP 

MCC 

OX BLD FLX LIN 
PCA 

FAILURE TO SUPPLY HELIUM PRESSURANT. 

LOSS OF SUPPORT OR POSITION CONTROL 
FUEL LEAKAGE PAST LIFT-OFF SEAL 
TURBINE BLADE STRUCTURAL FAILURE. 

LOSS OF AXIAL BALANCING FORCE. 

FAILURE TO TRANSMIT TORQUE. 

FAILS TO CONTAIN HYDROGEN 

LOSS OF SUPPORT AND POSITION CONTROL. 

SEQUENCE VALVE LEAKS - CNTRL PRESSURANT DOWNSTREAM. 
TURBINE PIECE PART STRUCTURAL FAILURE 
INTERNAL RUPTURE AT THE MCC NOZZLE INTERFACE. 

FAILS TO CONTAIN OXIDIZER. 

INSUFFICIENT OR NO NITROGEN PURGE FLOW 


Cl 

LASS BA FAILURE MODES 

[223 

LRU-FM 

Component 

Failure Mode 

1 

i 

NOZZLE 

MFV 

HPFTP 

HPFTP 

EXTERNAL RUPTURE. 

INTERNAL LEAKAGE. 

LOSS OF COOLANT FLOW TO TURBINE BEARINGS. 
LOSS OF COOLANT FLOW TO TURBINE DISCS. 


CLASS BB FAILURE MODES 


Rnk 

LRU-FM 

Component 

Failure Mode 

15 

18 

39 

40 
43 
45 

A330-02 

D300-01 

D300-03 

A700-02 

B400-18 

B200-23 


FUEL LEAKS INTO THE CLOSED CAVITY (LINER & JACKET) 
LEAKAGE DURING PROPELLANT CONDITIONING. 

LOW FLOW RESTRICTED OR SHUT OFF. 

LOSS OF FUEL TO ASI. 

LOSS OF COOLANT TO BEARINGS. 

LOSS OF BALANCING CAPABILITY. 
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SECTION 4 - DAMAGE MINIMIZATION TECHNIQUES 

The goal of this effort .vas to define HMSRE actions which most 
effectively minimize damage to the engine after a failure is detected. To 
ensure near term applicability and compatibility with the current SSME, 
the techniques evaluated were limited to those available through the SSME 
Block-1 1 controller. 

The basic damage minimization actions available to the HMSRE are: 1) 
actuator lockup, 2) downthrust, and 3) shutdown. Evaluation of each 
technique led to the conclusion that in a test stand environment (where 
damage minimization is the only concern), engine shutdown is the 
appropriate HMSRE action whenever a failure is detected. In flight, 
however, downthrusting becomes a viable option for extending engine life 
and minimizing damage within mission completion constraints. 

Each damage minimization action is discussed below. 


Ac tuator Lo cku p 

Actuator lockup results in each control actuator being "locked" into its 

current position. Two locking mechanisms are available on the SSME, 
hydraulic lockup and electrical lockup. Hydraulic lockup is in response to 
a loss of hydraulic power. In this case, the hydraulic lines are sealed off; 
locking the actuators in their current positions. Electrical lockup is in 
response to unresolvable faults in the controller. New commands are 
inhibited, and the actuators are maintained at their current positions. 

Actuator lockup enables the engine to continue firing (although in a 

degraded mode) in the event of control system failure, but provides no 

damage minimization capabilities beyond those already available through 

the action of the Block-ll controller. 

Downthrust 

Downthrusting minimizes engine strain by reducing pressures, 
temperatures, speeds, and vibrations throughout the engine. If damage has 
occurred, the damage is likely to continue propagating through the system, 
but at a reduced rate. Therefore, in situations where the engine can be 
safely shutdown (e.g. on a test stand), the HMSRE would never downthrust 
an engine. Engine shutdown at the earliest "probable failure" indication 
would minimize damage. 
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In flight applications, however, engine shutdown could result in a loss of 
mission. In this case it would not be practical to shutdown an engine at 
the earliest "probable failure" indication. Two options axist in flight: 1) 
continue normal operation, or 2) downthrust, when possible, to reduce the 
rate of failure propagation. In both cases the engine could still be 
shutdown if an impending catastrophic failure is indicated. 

The basic strategy for downthrusting an engine would be to downthrust, if 
possible, when a "probable failure" is indicated and continue operation 
until the mission ends or an impending catastrophic failure is indicated. 

Implementation of this capability requires propulsion level coordination 
to maintain the required vehicle thrust and manage issues such as: 1) 
mission completion requirements, 2) status of other engines, 3) available 
abort modes. For example, if mission success requires three engines at 
109% thrust, an engine indicating a probable failure would not be allowed 
to downthrust. However, if mission success requires three engines at 
100% thrust, an engine indicating a probable failure could be downthrust 
to 82%. The other two engines would be upthrust to 109% to compensate 
for the lost thrust. This approach reduces the strain on the engine 
indicating a probable failure, without jeopardizing mission success. The 
reduced strain and failure propagation rate would result in the minimum 
engine damage within the constraints of mission success. 

Shutdown 

Damage is expected to be minimized in all cases if an engine is shutdown 
immediately upon detection of a failure. This action would confine the 
existing damage by preventing further propagation of the failure. 

The primary shutdown mechanism of the Block-ll controller is a hydraulic 
shutdown in which the actuators are actively sequenced by the controller. 
This mechanism is initiated through a command to the controller and is 
completed in just over 5 seconds. A pneumatic shutdown sequence is also 
available. The pneumatic shutdown is a passive sequence initiated by a 
loss of controller electrical power. The pneumatic system is orificed 
such that the passive pneumatic sequence matches the actively controlled 
hydraulic sequence. Since the valve sequencing is identical (or very 
similar) with either shutdown mechanism, no damage minimization 
advantage between them could be established on that basis. However, one 
advantage exists in that the hydraulic shutdown system is backed up by 
the pneumatic system. Directly initiating a pneumatic shutdown removes 
a level of redundancy in the system and offers no benefit to the engine. 
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Therefore a commanded hydraulic shutdown was selected as the HMSRE 
response to a detected failure. 
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5.0 EVALUATION OF METHODS TO DETECT FAILURES 

This section discusses the various failure detection techniques evaluated 
and considered for inclusion in the HMSRE framework. 


5.1 OVERVIEW 

The failure detection techniques evaluated during this program can be 
divided into nine types: 

1. Advanced Redlines 

2. Parameter Correlation 

3. Analytical Models to Predict Remaining Life 

4. Non-lntrusive Measurement Approaches 

5. Model Based Failure Detection 

6. Data Trending 

7. Operational Envelope Based Failure Detection 

8. Power Level Dependent Algorithms 

9. Vibration Monitoring 

The failure detection techniques evaluated were candidates for inclusion 
in the HMSRE. The results of these evaluations provided the basis for key 
features of the framework described in Section 6. 

The techniques were evaluated to identify current SSME applications, 
strengths, and weaknesses. In addition, compatibility with the Block-ll 
SSME was evaluated. The failure detection techniques and evaluation 
results are discussed in the following sections. 


5.2 ADVANCED REDLINES 

Advanced redlines are based on a different philosophy than existing 
redlines. The current redlines are defined to be values at which severe 
engine damage is inevitable. For example, a temperature redline might be 
set at 1800R if the maximum operating temperature of some component is 
1825R. This philosophy is fine for avoiding catastrophic engine failures 
caused by a specific component failure. However, engine failures go 
undetected until this limit is reached, often resulting in considerable 
damage. 

Advanced redlines, applicable to the HMSRE, set limits on a different 
basis. These limits are set such that a significant anomaly, not 
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necessarily dangerous in- itself, is detectable. An example of this might 
be a temperature redline set at twice the usual deviation from its nominal 
operating point. The tighter limits allow a faster response to engine 
failures. The major issues with this approach are identification of the 
nominal value and definition of a significant anomaly. A "significant 
anomaly" obviously must be greater than the expected variation in the 
monitored parameter. These variations can be reduced (thereby enabling 
tighter limits) by using a longer averaging interval. The averaging 
interval selected would try to optimize the trade between signal 
smoothness and response time. 

Significant anomalies can be readily determined through a statistical 
analysis of the redline parameter for both nominal and engine failure test 
cases. Nominal values, however, change with power level and differ 

significantly between engines. Figures 5-1 to 5-4 show nominal test data 
(turbine discharge temperatures) for 8 different engines over the entire 
range of power levels. Each data point represents a 1 second average and 
is plotted at the corresponding power level. Clearly, in order to 
accurately define a nominal value, power level and engine specific 
correction strategies must be used. 

For example, consider the HPOT discharge temperature (Figure 5-1). An 
advanced redline, applicable to all engines and power levels, would have to 
be set above 1500R. Assume a value of 1550R is selected. This value is 
only about 50R above the highest value expected and would detect 
deviations as small as 50R above the nominal value for the high end of the 
expected range. However, at lower power and with another engine, the 
operating value could be as low as 950R. In this situation a deviation of 
600R would be required before the redline is exceeded. Clearly, this 
parameter would be better monitored if the engine to engine variation and 
power level were accounted for. 

Some indication of the corrections needed, to accurately define a nominal 
value, is provided by the ratio of typical signal noise and engine to engine 
deviation (or power level deviations). For example, if a temperature 
signal typically deviates by 50R for a single engine, engine to engine 
corrections are of little value if the engine to engine variation is only 
10R. A summary of this information is shown in Table 5.1 for several 
advanced redline candidates. A large signal to noise ratio indicates that 
an advanced redline will be more effective if appropriate correction 
strategies are applied. 
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A-2 TEST STAND REDLINE S,„OY (SITE, 1 SEC AVG DATA) 






FIGURE 5-3 ENGINE TO ENGINE VARIATIONS - HPFT DS TMP A 










TABLE 5.1 SIGNAL TO NOISE RATIO FOR ENGINE SPECIFIC AND POWER DEPENDENT 

REDLINES 


S/N 


Typical 

Signal 

Noise 

±11 °R 
±8.7°R 
±12°R 
±10°R 
±0.41% 
±0.56% 
±925 rpm 
±9.2 psia 
±3.3°R 

Nominal 
RPL to FPL 
Variation 

E co 

? ? c 1 ^ 5 s 8- S3 CC 

oioascocoTfOoj^-r- 

W CM 

i 

! 

S/N 

15.9 

12.6 

12.0 

14.5 

8.5 

7.7 

0.7 

0.1 

18.2 

Typical 

Signal 

Noise 

OCOCCEIE^S 2 §.*§□: 

o O o O T““ CO w o 

£ 5 2 £ ^ ^ to^c? 

jj 3 44 44 O O C\l • CO 

Max Engine 
to Engine 
Variation 

175°R 
110°R 
140°R 
145°R 
3.5% 
4.3% 
635 rpm 
0.5 psia 
60°R 

Measure- 

ments 

HPFT DSTA 
HPFT DS T B 
HPOT DS T A 
HPOT DS T B 
FPOV Act Pos 
OPOV Act Pos 
HPFP Speed 

MCC Pc Avg 

MCC Coolant 
Discharge Tmp 
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As shown by Table 5.1, the effectiveness of most redlines would be 
greatly enhanced if engine to engine and power level variations are 
accounted for in the definition of a nominal value. 

Power level variations are easily addressed since the changes are 
analytically predictable. A power dependent redline could simply be 
changed in accordance with the test or flight thrust profile. An example 
of what a power level dependent redline might look like is shown in Figure 
5-5. 


Engine to engine variations are considerably more difficult to predict 
analytically since the changes are caused by subtle differences in the 
manufactured hardware. Two general approaches have been identified to 
address this issue. The first approach is to base the nominal value on 
values observed during prior tests of the same engine. It should be noted 
that replacement of a line replaceable unit (LRU) may yield different 
operating levels and therefore constitutes a different engine. Since LRUs 
are routinely changed, this approach has limited applicability. 

The second approach is to observe an operating point during the initial 
seconds of steady state, and define this value to be nominal. This 
approach provides accurate engine specific information even if the engine 
has never been fired before. Another advantage is the ability to account 

for test to test variations in a parameter. While these variations are not 

as large as those between engines or power levels they can be significant. 
Figures 5-6 to 5-9 show the test to test turbine discharge temperature 
variations for four firings of the same engine. A drawback to this 

approach is that failures cannot be detected during the start transient or 
the first few seconds of mainstage. However, if the parameter continues 
to increase (or decrease) the relatively tight limits set for an advanced 
redline would detect the failure shortly after monitoring begins. 

Several general considerations, on the use of redlines, should be 
addressed. First, a single sensor malfunction should not cause an engine to 
shutdown. This would obviously be the case if a redline parameter was 
measured by only a single sensor and that sensor began to drift. 

Therefore, advanced redlines are limited to those parameters for which 
multiple measurements can be obtained. Secondly, confidence that an 
engine failure is occurring is relatively small if only one measurement is 
indicating an anomaly. Finally, redlines provide possible failure 
indications with a minimum of computational time. 
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Redlines alone are not adequate for an effective damage minimization 
system due to their inherent limitations. However, they could be a 
valuable element of a more encompassing detection system by providing 
rapid information at very little computational cost. 


5.3 PARAMETER CORRELATION 

Early failure indications can be classified into three distinct groups for 
analysis: 1) those that are directly observable with available 

instrumentation (e.g. increased HPFP speed), 2) those that are not directly 
observable, but cause observable changes in the measured parameters 
(e.g. loss of HPFP efficiency), and 3) those that are not observable with 
existing instrumentation (e.g. cracked turbine blades). 

This section discusses the second group of early failure indications, those 
that are not directly observable. Two approaches were evaluated for 
estimating these parameters. In the first, the parameter is calculated 
from measured parameters. Ideally, this provides an accurate estimate 
of the actual value. However, the calculation is dependent on a complete 
set of data and the loss of a single measured parameter (i.e. a sensor 
failure) could invalidate the estimate. Since sensor failures are far more 
common than other types of failures on the SSME, this represents a major 
weakness for the approach. 

The second approach for estimating parameters, that are not directly 
observable, is to correlate changes in measured parameters. For example, 
a loss of HPFP efficiency is expected to result in an increased HPFT 
discharge temperature and a decreased HPOT discharge temperature (Since 
the degraded HPFTP requires a disproportionately, greater amount of 
energy in the turbine to obtain the required pump output). Therefore, if an 
increase in the HPFT discharge temperature is measured and a decrease in 
the HPOT discharge temperature is measured, a change in the HPFP 
efficiency can be postulated and a value approximated. For the class of 
failures resulting in degraded HPFP efficiency, the correlated value "HPFP 
efficiency" provides an earlier failure indication than either of the turbine 
discharge temperatures evaluated individually. This approach is unable to 
provide an absolute value for unobservable parameters, but quantitatively 
indicates changes. Since failures are generally indicated by changes in 
key operating parameters, this is not seen as a deficiency. The major 
advantages of this approach are the relatively simple computations 
required and insensitivity to sensor failures. 
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Correlation of individual sensor values to estimate changes in key engine 
operating parameters, for the purpose of failure detection, is a well 
established technique used on jet engines known as gas path analysis. 

Evidence that multiple failure indications exist and potentially represent 
correlated sets for rocket engine failures is obtained by evaluating the 
available SSME test history (Figure 5-10). The top section of this figure 
represents the direction of the observed changes in individual sensors for 
a set of SSME failures. As can be seen for the case of LOX post failure, 
which represents the largest group of similar failures, a fair degree of 
correlation exists in the observed sensor anomalies. For example, both 
turbine discharge temperatures increase in 5 of the 6 failure cases. 
Additionally, multiple sensor indications are observed for all cases. In 
fact, 8 or more anomalies were seen for 13 of the 21 cases evaluated. 

Four specific parameters were evaluated for the HMSRE: 1) HPOTP 

efficiency, 2) HPFTP efficiency, 3) MCC combustion efficiency, and 4) Fuel 
leakage. The first three represent key engine operating parameters while 
fuel leakage provides an example of how correlation of measurable 
parameters can be applied to specific failure detection. 

Decreases in pump operational efficiency can result from hydraulic 
losses, disk friction losses, mechanical losses, and leakage losses. 
Similarly, turbine operational efficiency is degraded by nozzle losses, 
blade losses, leakage or clearance losses, disk friction losses, and 
mechanical losses. Therefore, even though failures that increase these 
losses may not be specifically observed, they can be correlated to, and 
will be indicated by, efficiency degradations. 

Specific correlations between measurable SSME quantities and the 
parameters listed above were determined using the SSME engine balance 
model. For each of the cases identified, two sets of data were generated. 
The first set listed key, measurable SSME quantities using a nominal value 
for the "unobservable" parameter. In the second set, a degraded value was 
used (e.g. a 5% loss of HPFP efficiency). Differences between these sets 
were calculated and tabulated. The model results indicated that definite 
correlations exist in the set of SSME measured parameters for each of the 
cases evaluated. Complete model results are provided in Attachment 4. 

The number of individual sensor anomalies observed for each SSME failure, 
the commonality demonstrated for similar failures, and the correlations 
predicted by the SSME engine balance model indicate that correlation of 
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measured parameters can enhance failure detection by estimating system 
level parameters sensitive to a large number of failure modes. 


5.4 ANALYTICAL MODELS TO PREDICT REMAINING LIFE 

Two classes of analytic life prediction models were identified. The first 
class consists of models based on past performance of similar 
components and/or calculations of expected life. An example of this 
approach is the Automated Cycle Time System (ACTS) used by Rocketdyne 
for the SSME. In this case, the number of starts, time at a given 

temperature, maximum pressure reached, and. other similar parameters 
are recorded for individual components. Each factor is assumed to reduce 
the life of a component by a predetermined amount. When the estimated 
useful life of a component is expended, the part is inspected and/or 
replaced. This system provides valuable maintenance information, but 
due to the somewhat inexact nature of the useful life estimates, this 
approach is not suitable for real-time monitoring of the engine. 

The second class of remaining life models are those that predict 
remaining life based on real-time monitoring of some attribute of the 
specific component. The actual parameter measured in this approach is 
the amount of component degradation, not remaining life. Remaining life 
is inferred based on previous experience, calibration tests, or theoretical 
relationships. An example of this approach is monitoring specific bearing 
frequencies and correlating measured amplitudes to the amount of 
degradation in the bearing. While these models are useful in calling 
attention to a specific component (for either maintenance or more 
thorough evaluation), their use is limited in a real time system, due to the 
inability of existing algorithms to provide the confidence and resolution 
required for real time decisions. The confidence and resolution of these 
models increase as the failure becomes more immediate. Therefore, one 
possible scheme to use these models may be to issue a shutdown command 
if a failure is imminent. The "time before failure" when an engine cutoff 
command is issued could be gradually extended as the algorithm is refined 
and confidence is gained in the results. 

Analytical remaining life models may provide early engine cutoff for 
specific component failures, but are too limited in scope to provide an 
adequate damage minimization system. These models are best utilized to 
address specific problems not adequately covered by a more 
comprehensive failure detection scheme. 
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5.5 NON-INTRUSIVE MEASUREMENT APPROACHES 

Benefits of these sensors include greater accuracy since they do not 
perturb what they try to measure and less physical restriction since 
they do not require a mechanical interface for the measurement. 
Consequently, they should be relatively simple to implement with minimal 
hazard to the existing engine. Some of these sensors are unique in that 
they can be ground-based and monitor the engine during test on a stand 
and possibly during the first minutes of flight. Sensors which do not 
require any modification of the engine or engine components also save 
time and money that would be spent on redesign and evaluation of the new 
design for safety and operational verification. 

This section discusses advanced instrumentation concepts which might 
be suitable for health and condition monitoring during test stand 
operation and eventual flight application. 

The sensors listed in Table 5.2 were selected for consideration due to 
their potential for health monitoring capabilities. This list was then 
pared to four candidates (Table 5.3) based upon the requirements of 1) 
minimal program risk, 2) real time anomaly indication, 3) operation 
remote from the engine, 4) applicability to unmodified engine, and 5) 4-6 
year implementation. Plume tomography, raman spectroscopy, and induced 
flourescence were estimated to be unavailable in the 4-6 year time frame 
since they are still in the laboratory phase of development. Bearing/shaft 
monitoring technologies were deemed Intrusive, requiring either intrusive 
instrumentation or alteration to internal engine components. 
Delamination, fatigue, and acoustic measurements (EMAT) are between 
flight technologies and are therefore not applicable to a real-time HMSRE. 

The four candidates: plume emission spectrometry, remote leak 

detection, thermography, and acoustic monitoring are discussed in the 
following subsections. Plume spectrometry is discussed in the greatest 
detail since this technology is well established and is included in the 
baseline HMSRE framework. The other three candidates are briefly 

discussed. Each represents a potentially significant improvement in 
rocket engine health monitoring, but it is felt that none of these systems 
are sufficiently developed for implementation under this program. 


47 



5.5.1 Plume Emission Spectrometry 

Radiant energy is both emitted and absorbed by rocket engine exhaust 
plume gases at wavelengths characteristic of the combustion species 
present. These spectral signatures are uniquely representative of the 
material makeup of the plume. Each atomic and molecular species is 
recorded as its own spectral line, band, or continuous structure within a 
spectral record and describes either nominal or anomalous engine 
behavior. Anomalous behavior evident in the emission spectra is a result 
of damage, erosion, or wear of engine components. It is manifested by 
the erratic behavior of spectral line amplitude as a function of time or 
an unusual amplitude of the spectral signature of the material or 
materials representative of the component in question. Unique materials 
can be traced to the source engine component. 

Plume emission spectrometry is a proven technology. Spectrometers are 
currently in use at the MSFC test stands for plume monitoring. 
Additionally, Rocketdyne has an in house system used for monitoring 
engine tests at the Santa Susana Field Laboratory (SSFL). 

Examples of the data available with a plume monitoring system are 
provided by the data obtained by Rocketdyne as indicated in Table 5.4. 
Characteristic spectra for nominal tests have been determined but 
anomaly thresholds still need to be established. Some failure data has 
been recorded and emission spectra from events such as engine hardware 
erosion, and foreign material contamination stand in marked contrast to 
the spectra normally seen during engine hot-firings. Also shown in Table 
5.4 is a list of plume anomalies observed during 100 plus recorded tests 
along with the materials exhibiting anomalous behavior. A more 
complete list of materials observed in the plumes, and possible sources 
of contamination, is shown in Table 5.5. Attachment 5 presents a list of 
SSME failure modes expected to show plume anomalies and the materials 
expected. 
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TABLE 5.2 ROCKETDYNE ADVANCED INSTRUMENTATION 

APPLICABLE TO SSME 


TECHNOLOGY 

APPLICABILITY 

Preflight 

In-Flight 

Test Stand 

LEAK DETECTION 

• 

• 

• 

SPECTROMETRY - PLUME 


A 

A 

EMISSION/ABSORPTION 


W 

w 

TRACKING 


• 


TOMOGRAPHY 



• 

RAMAN 



• 

PLANAR LASER INDUCED FLOURESCENCE 



• 

THERMOGRAPHY/PYROMETRY 



g^ 

PLUME 


• 

W 

NOZZLE 

• 

• 

• 

ENGINE 

• 


• 

BEARING/SHAFT MONITORING 




ACCELEROMETERS/STRAIN 


• 

• 

ISOTOPE 

• 

• 

• 

DELAMINATION/CRACK DETECTION 

• 


• 

FATIGUE DETECTION 

• 

1 

• 

ACOUSTICS 


• 

• 

ELECTROMAGNETIC ACOUSTIC TRANSDUCER 

• 


• 








TABLE 5.3 NON-INTRUSIVE MEASUREMENT CANDIDATES 


TECHNOLOGY 

APPLICABILITY 

Preflight 

In-Flight 

Test Stand 

LEAK DETECTION 

• 

• 

• 

SPECTROMETRY - PLUME 




EMISSION/ABSORPTION 


• 

• 

THERMOGRAPHY/PYROMETRY 




PLUME 


• 

• 

NOZZLE 

• 

• 

• 

ENGINE 

• 


• 

ACOUSTICS 


• 

• 
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While the principle of analyzing plume emitted radiant energy is not new, 
the adaptation of digitized plume data to real-time processing is required 
for safety/damage minimization systems. Rocketdyne has done this with 
the in-house spectrometry system. This system scans from the near- 
ultraviolet (UV) to the near-infrared (IR), and has been interfaced to a 
PC-AT type computer. The computer executes programmed data 
acquisition and orchestrates analysis of the data. Control signals and 
data are transferred via an IEEE bus. The spectrometer has software 
selectable spectral scan times as small as 10 ms, internal analog to 14 
bit digital conversion, and a 4 Megabyte RAM memory. These 
capabilities allow automated evaluation of plume spectra and the capture 
of transient engine events. A pictorial description of spectrum analysis 
is shown in Figure 5-11. The recorded data is used to produce two types 
of graphs. The first is a plot of Intensity versus wavelength also 
plotted against time (Waterfall Plot) as In Figure 5-12, while the second 
is a plot of the intensity of a specific spectral line against time as in 
Figure 5-13. These two types of plots are useful in identifying and 
characterizing key features of the spectra. 

Of the one hundred plus tests observed in the past three years, four are 
of particular note. During an OTV test, in January of 1987, a fuel 
turbopump bearing seized. Material from the damaged cage is clearly 
seen in Figures 5-12 and 5-13 (as CaOH) prior to the redline cutoff of the 
engine. A similar event befell an SSME development engine in April of 
the same year when an oxidizer turbopump bearing seized. The second 
example shows what was observed when a large piece of copper tape, 
used during a leak check procedure, is left inside the main combustion 
chamber (see Figure 5-14). Even though the tape quickly burned away, the 
spectrometry system was able to record increased levels of copper 
compounds in the plume. The key aspect of this test is validation that 
copper is detectable and identification of compounds created. This is key 
to SSME combustion device failure detection since several key combustion 
device components (e.g. baffles) are made from copper alloys. The third 
example was a high speed view of the SSME startup transient that 
showed foreign material contamination flushed from the engine. A 
fourth example shows preburner faceplate erosion caused by a 
purposely bent injector post. In this test, chromium is readily observed 
in the plume. Other structural materials were also indicated though not 
as strongly as the chromium spectral line. All of these examples serve to 
characterize the spectral signatures of foreign materials within the 
plume. 
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The plume 
information, 
asset to a 


spectrometry system has proven capability to provide 
not otherwise available, and therefore represents an 
failure detection system. 


failure 

unique 
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TABLE 5.4 ROCKETDYNE'S GROUND-BASED PLUME SPECTROMETRY STATUS 
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TABLE 5.5 OBSERVED SPECTRAL FEATURES IN SSME PLUMES 


SPECIES 

WAVELENGTH 

OCCURRENCES 

PERCENTAGE OF 

POSSIBLE 


pBBW 

IN 28 TESTS 

OCCURRENCE 

SOURCE 

Ha 

589.0/589.6 

28 

100 

Propellants 

K 

404.4/404.7 

11 

39 

Propellants 


766.5/769.9 

28 

100 


CaOH 

555 

28 

100 

Propellants, 


603 

26 

93 

Bearing Cages 


623 

28 

100 



645 

28 

100 


OH 

306.4 

28 

100 

Oa/Ha Combustion 

Li 

670.8 

28 

100 

Dry Film Lube 

Ca 

422.7 

24 

86 

Propellants , 
Bearing Cages 

CaO 

420-430 

23 

82 

Propellants , 
Bearing Cages 

Ni/OH 

341-352 

16 

57 

Structural 

Materials, 

Oa/Ha Combustion 

Cr 

425-428/520.6 

11 

39 

Structural 

Materials 

Fe 

371-375/386 

11 

39 

Structural 

Materials 

Sr 

460.7 

1 

4 

Structural 

Materials 

SrOH 

606/682 

1 

4 

Structural 
Material s 

CuOH 

537 

1 

4 

Copper Tape, 
Baffles, MCC 

CuH 

428-433 

1 

4 

Copper Tape, 
Baffles, MCC 

Cu 

324.8/327 .4/510 

.6 1 

4 

Copper Tape, 


Baffles, MCC 
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FIGURE 5-11 PLUME EMISSION/ABSORPTION ANALYSIS 




EXPOSURE TIME l 0.2 SECOND 
FRAME RATEl 5 SCANS/SECOND 
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FIGURE 5-12 EXAMPLE PLUME SPECTRAL SIGNATURE - TIME DEPENDENT 




SSHE PLUME SPECTRA 
7 AUGUST 1987 
A-3 TEST #750-296 
ENGINE 0210 
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FIGURE 5-14 PLUME SPECTRAL SIGNATURE - COPPER 



5.5.2 External Leak Detection 


Two general methods are being developed for performing external leak 
detection of propellents on rocket engines, mass spectrometry and optical 
measurements. With current technology, neither system meets the 
requirements for a real-time, SSME failure detection system as defined in 
this program. For early detection, a small propellent leak must be 

identified and the source isolated (e.g. a leak in the powerhead is worse 
than a nozzle leak). Mass spectrometry provides accurate detection of 
propellent gasses but is unable to isolate the source of leakage. Optical 
measurements, on the other hand, provide an image of the engine and 
enable isolation of leaks, but are currently unable to accurately detect 
propellent gases. A brief discussion of optical methods is presented 
below to illustrate the development currently underway to enable 
detection of propellent gases. 

During flight or on a test stand, the gases available for leak detection 
are 02, H2, and H20. Radiant emission and absorption bands for water 
and oxygen can be found in the UV and in the near-IR. The near-IR 
absorption lines are easily accessed using commercial lasers. The UV 
spectrum can be accessed by flash lamps. Rocketdyne has demonstrated 
the detection of oxygen to as small as one percent of the ambient 
atmosphere using this optical UV method. The H20 leaks of interest would 
be comprised of leaking steam and could be monitored with an IR 
detector without electromagnetic stimulation from a laser or flash 
lamp source. Another promising method for remote monitoring of 
propellent leaks is a small Raman scattering system that Rocketdyne is 
currently investigating (for hydrogen leaks). 


5.5.3 Thermography/Pyrometry 

Engine Hardware - Remote thermal monitoring of engine hardware can 
aid in the detection of hot gas leaks, hardware cracks, debonds, and 
delaminations. Many engine parts are insulated but serious problems may 
still be manifest in these areas especially if they involve leaking hot 
gases. Hydrogen fires, invisible to the naked eye, can easily be spotted 
thermographically. During an SSME test previous to this study, 
Rocketdyne thermography detected an external nozzle fire which was 
otherwise undetected. Inspection of the hardware after conclusion of the 
test verified the fire and the damage caused. 
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Plume - Thermographic monitoring of the plume can provide valuable 
information regarding p'ume temperatures. Plume temperatures and 
temperature distribution are related to mixture ratio, mixing efficiency, 
burn efficiency, and engine stability. Although decisions may not be 
made on this information alone, it may provide anomaly information 
which corroborates or clarifies other sensor data and which is valuableto 
the decision process. 


5.5.4 Acoustic Monitoring 

Acoustic monitoring of the engine may provide information on leaks, 
turbopump conditions, engine instability, or other anomalies. Although 
the SSME produces approximately 150 decibels of acoustic output, it is 
not clear where the spectrum drops off or how quickly it drops. This 
should be investigated more completely. Anomaly information may be 
provided by signals in spectral regions of low acoustic output from the 
engine or from the variation with time of relevant spectral bands. 


5.6 MODEL-BASED FAULT DETECTION 

Two areas were investigated for this type of failure detection: 1) 
analytical sensor redundancy, and 2) model based engine failure detection. 

5.6.1 Analytical Sensor Redundancy 

There are three approaches to sensor redundancy: 1) hardware, 2) 

analytical, and 3) temporal. Hardware redundancy utilizes many sensors 
to measure the same variables. In the analytical approach, a model is used 
that estimates the required parameter/variable via information of 
dissimilar sensors. Temporal redundancy makes use of redundant 
information from successive samples of the output of a given sensor to 
identify failures. Range and rate checks are common examples of the 
latter method. 

With analytical redundancy, values of parameters are derived from 
mathematical models, based on actual or simulated inputs, and are 
compared with the measured values of the corresponding parameters. This 
approach provides redundancy through analytically derived information 
that is computed on-line real-time and can eliminate the need for 
hardware redundancy (or provide redundancy where none currently exists) 
in many cases. 
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In general, one would first study the system observability characteristics 
and would prefer a reduced order obsen/er that will function under failed 
sensors/actuators. Under these conditions tne system matrices would be 
modified to reflect the failed sensor or actuator reductions. 

An example of how analytical redundancy could be used to increase the 
reliability of a monitoring system is provided by the case of the HPOTP 
intermediate seal drain helium pressure. Presently, this parameter is 
measured by one pressure transducer with two channels upstream of the 
seal. In flight conditions there is no helium flowrate sensor. Thus, 
flowrate is inferred from helium bottle pressure, density, skin 
temperature and volume. The flowrate is normally at 240 standard cubic 
feet per minute and the redline minimum on the pressure is 170 psia. If 
the pressure transducer experiences a hard failure (i.e., reads zero or 650 
psia), then it is disqualified and the engine operates without a pressure 
redline on helium. 

However, in order to avoid such dangerous elimination of sensors, there is 
an alternate approach that enhances the functional reliability of the 
overall engine control system by reconstructing or estimating the critical 
signals from dissimilar types of sensors under the assumption of 
"sufficient observability." For the pressure sensor of the above mentioned 
seal, the pressure can be inferred analytically on-line real-time and 
compared with the sensor readings. In case there is a sensor failure, the 
analytically redundant sensor can be utilized as backup. 

Since many parameters on the SSME are represented by only single 
measurements, analytical redundancy provides a means of significantly 
improving the reliability of a failure detection system. 

Additionally, the same basic approach can be applied to verification of 
actuator responses. Input signals to actuators are sometimes not 

implemented in a desirable manner, thus producing off-nominal outputs 
Analytical approaches toward the identification of such anomalies 
presently exist in the SSME controller. Namely, the Rotary Variable 
Differential Transformer (RVDT) output of the actuator signal is compared 
to the actuator model output to detect out-of-limit actuator operation. 
Moreover, actuator rate changes are monitored via servo-actuation error 
indicator interrupts, whereby the vehicle is commanded to shut down in 
case of significantly anomalous behavior. Thus, analytical techniques are 
currently in use in the SSME controller, providing advantages that enhance 
overall engine reliability and performance. 
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5.6.2 Model Based Engine Failure Detection 

Most model-based methods rely on analytical redundancy. Using present 
and/or previous measurements of certain variables in conjunction with 
the mathematical model describing their relationship, analytical values 
are generated and compared with measured values. The difference 
between the analytical and measured values is called a residual. Thus, the 
failure detection procedure in the model-based approaches rests on three 
tasks: 1) residual generation, 2) statistical testing and signature 

generation, and 3) decision making and diagnostics (in case of 
identification and isolation). 

Model based diagnostics generally are most useful for detection and 
identification of specific failure types. Therefore to illustrate the 
concept, a fuel leak detection scheme, in which the oxidizer flow is 
mathematically modelled, is presented below as an example. 


Example: Model Based Fuel Leak Detection 

An analytical approach that calculates mixture ratio (of oxygen to 
hydrogen) and compares the result with the internally generated mixture 
ratio, can determine the existence of leakage in the fuel lines. 

Simulations were carried out on the SSME analytical model and leaks were 
introduced to evaluate the concept. The results of the simulations 
indicate clearly the introduction of leaks in several parameter outputs. 
For this study, leaks of 2, 5, and 10 Ib/sec (just downstream of the main 
fuel valve) were simulated to demonstrate the potential leak detection 
and engine mixture ratio control using the alternate mixture ratio 
computation. 

A direct approach is taken whereby the oxygen flow calculation is used to 
compute the MR in the SSME more accurately, reflecting the effects of a 
fuel leak on the various engine parameters. To accurately estimate the 
total oxygen flow used by the engine, three paths must be considered: 1) 
MCC flow, 2) FPB flow, and 3) OPB flow. 
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Oxygen flow from the Main Oxygen Valve (MOV) to the main combustion 
chamber is given by the following equation: 

1/2 

w Pc - 24.2 (Pdo - Pc) — (1) 


where Pdo is the HPOTP discharge pressure and P c is the main chamber 
pressure. 

The following equation provides the oxygen flow through the fuel 
(hydrogen) preburner: 


w FPB * 


PPDO -PFP 


2 

0.2143 + 116.5/AF 


1/2 


-(2) 


where PpDO > s th© preburner oxygen (boost) pump discharge pressure, Pfp 
is the fuel preburner pressure, and Ap is the fuel preburner oxidizer valve 
flow area. 

In order to calculate the oxidizer flow through the oxidizer preburner, the 
assumption was made that the oxygen and hydrogen preburner pressures 
are equal in steady-state conditions. Since the oxidizer preburner 
pressure is not measured during flight, the fuel preburner pressure was 
used as an estimate. 

Table 5.6 shows the ratio of pressure drop from the preburner pump 
discharge to the oxidizer preburner to the same pressure drop for the fuel 
preburner. The largest variation is 5.5% (65% power level compared to 
109% power level). Since the flowrate is proportional to the square root 
of pressure drop, the maximum oxidizer preburner flow error is 2.7%. At 
65% power level, the oxidizer preburner flow is about 2.5% of the total 
oxidizer flow. Therefore, the maximum mixture ratio error is only 0.07% 
due to using the fuel preburner pressure for the oxidizer preburner. 
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Table 5.6 Ratio of OPB Pressure Drop to FPB Pressure Drop 


power level (%) 
WPoxpb 
WPfupb 


109 104 100 

0.966 0.968 0.970 


90 80 70 65 

0.980 0.996 1.1010 1.1020 


The equation estimating oxygen flow through the oxidizer preburner is 
therefore given by: 


PPDO -PFP 


1/2 


WQPB 


1.576 + 2082.6/Ao 


— (3) 


where A 0 is the oxygen preburner oxidizer valve flow area. 

The sum of equations (1), (2), and (3) yields the total oxidizer flow 
estimate and MR is calculated by dividing the total oxygen flow by the 
total hydrogen (fuel) flow. A flowmeter provides the fuel flow. The 

inputs to the oxygen flow calculations require measurements of the main 
chamber pressure, HPOTP discharge pressure, fuel preburner pressure, 
preburner boost pump discharge pressure, and fuel and oxygen pump 
oxidizer valve positions. All of these are available from existing sensor 
measurements. These equations were incorporated into the SSME digital 
transient model to verify the feasibility of the concept of leak detection 
The results of a computer simulation of the engine dynamics of the SSME 
indicated that the approach proposed herein is valid during steady-state 
operation. Table 5.7 shows how closely the oxidizer flow as calculated, 
using the alternate approach, agrees with the design value at steady-state 
conditions, for five different power levels. 
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Table 5.7 Comparison Between Analytical Oxidizer Flow Model 

and Design Values 


power level (%) 

109 

104 

100 

90 

65 

OX flow design value 

975.58 

931 .28 

895.85 

807.17 

584.82 

OX flow as calculated 

976.41 

930.99 

895.77 

805.88 

582.25 


using analytical model 


A simulated fuel leak was introduced into the model between the High 
Pressure Fuel Turbopump (HPFTP) and the main fuel valve and the 
analytical model was used to calculate MR. One computer simulation was 
run under nominal operating conditions and three runs were made under 2 
Ib/sec, 5 Ib/sec, and 10 Ib/sec fuel leaks. The results are shown in 
Figures 5-15 and 5-16. Figure 5-15 shows the calculated MR, using the 

analytical model to determine oxidizer flow. Figure 5-16 shows the 
current SSME mixture ratio calculation. 

As can be seen from these plots, for a given point in time, calculated MR 
generally increases using the model based MR estimate, and generally 
decreases using the current SSME MR estimate for increasingly greater 
fuel leaks. Figure 5-16 indicates that the mixture ratio is lower for 
increasingly greater fuel leaks when in fact the mixture ratio should be 
higher for increasingly greater fuel leaks, as Figure 5-15 indicates. 
Differences between the values obtained with each method potentially 
indicates the existence of a fuel leak. 

Model based diagnostics provide a means of detecting subtle failures 
within the SSME if sufficient observability exists for the condition being 
monitored. However, their use appears too limited in scope to provide an 
adequate damage minimization system. These models are best utilized to 
address specific problems not adequately covered by a more 
comprehensive failure detection scheme. 


5.7 DATA TRENDING 

Monitoring trends in the data enables early detection of anomalies. This 
detection is based on estimates of where a value will be at some future 
time. To evaluate the utility of this approach, a basic algorithm was 
developed and simulations run. 


65 



Nuruic luno * ncmc 


6.4 



FIGURE 5-15 ALTERNATE MIXTURE RATIO CALCULATION RESULTS 
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FIGURE 5-16 CURRENT MIXTURE RATIO CALCULATION RESULTS 
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The data trending algorithm evaluated is a modification of the System for 
Anomaly and Failure Detection (SAFD) algorithm. The fundamental 
difference being in the decision signal; the average value of parameters 
for the SAFD versus the slope between consecutive averages ror a 
trending algorithm. Different averaging intervals for each parameter may 
be required since some parameters have a relatively steady behavior while 
others have more extreme excursions, even under normal operation. Thus, 
it is prudent to determine the averaging interval based on the history of 
excursions of the parameter values. 


The slope-average algorithm is initialized with the slope-average 
computed for the interval immediately following the establishment of 
steady state (a number close to zero) as the "expected" value. A one sigma 
"anomaly" band is defined and centered around the average value. 

Another modification that may enhance the performance of the algorithm 
is to update the expected slope (s 0 ) every several seconds if the 
variations of the slope-averages slice-to-slice are within a reasonable 
limit, (otherwise slow trends would not be identifiable). This approach 
has to be simulated further in order to assess the slice-to-slice variation 
effects relative to normal and anomalous operating conditions. 

Data from two SSME tests, during which engine degradations were the 
reason for premature engine cutoff, were evaluated using the SAFD 
algorithm and the slope-average approach and the results were compared 
The results of applying the SAFD algorithm and the slope-average 
approach to tests 901-364 and 901-225 are shown in Attachments 6 and 
7, respectively. The slope-average profiles of Attachment 7 suggest that 
this test could have been shutdown earlier, perhaps at about 252 seconds, 
as opposed to the SAFD algorithm cutoff time of 255.59 seconds. 

Although, evaluation of more tests and failure simulations are needed to 
assess the overall benefits of this approach, the simulation results 
suggest that the data trending approach could complement SAFD. For 
some parameters, the SAFD functions better than the slope-average 
approach while for others, the latter might provide an earlier cutoff. 
Thus, further analysis would be necessary to have a good understand^ of 
the slope-average approach and to develop the failure detection logic. The 
potential for use of this approach to transient conditions is also possible. 

Data trending enhances the sensitivity of the failure detection process by 
utilizing the slope of average signals rather than the averages themselves. 
Thus, in many situations when signals have a tendency to change slowly 
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due to "slow" failures, the slope average may be suitable to detection of 
subtle changes in slope. Furthermore, when the slope-average continues 
with the same sign (in the same direction) for several consecutive 
calculations, this indicates a trend which (if sufficiently many signals 
give the same indication) can be utilized for failure detection. 


5.8 FLEETWIDE OPERATING ENVELOPES 

Nominal value envelopes can be determined by utilizing the extensive 
SSME hot-fire test database and associated data analysis experience. 
Many of the nominal envelopes have already been developed and are 
currently used to evaluate new hot-fire test data. These envelopes are 
the basis of a proven technique for determining the reasonableness and 
validity of measured hot-fire parameters. While other techniques such as 
comparisons of two or more redundant measurements, exist for validating 
measured parameters, the nominal envelope technique is especially useful 
for validating non-redundant parameters. 

Fleetwide envelopes are relatively large during steady state (due to 
engine to engine variation) and do not provide sufficient resolution for 
effective failure detection. However, they are well suited to identifying 
anomalies during transients. Transient operation is observed to vary 
between acceptable engines and even between nominal tests. The range of 
values is due to minor effects within the engine that give a somewhat 
statistical nature to the events (e.g. preburner and MCC ignitions during 
the start transient). Therefore, transient anomalies are indicated by a 
value significantly "out of range", rather than by deviations from a single 
nominal value as in the case of most steady state anomaly detection 
schemes. 

Transient nominal envelopes are defined by formulating a time-dependent 
envelope based on previous hot-fire experience. These envelopes are 
composed point by point from nominal tests in the SSME hot-fire test 
database. Maximum and minimum observed nominal values, over the 
fleetwide data, are determined for each time slice during a transient. One 
example of such an envelope is presented in Figure 5-17 for the HPOT 
discharge temperature. This envelope is one currently used by Rocketdyne 
for post-test analysis for SSME hot-fire tests. A more extensive set of 
nominal envelopes for the start transient is included as Attachment 8. 

In Figure 5-17, the maximum and minimum lines which make up the 
envelope (based on 232 nominal tests) are indicated by solid lines. The 
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dashed line represents the HPOT discharge temperature measured during 
test 902-471. 

The figure shows that the HPOT discharge temperature for this test 
dropped below the minimum nominal level between about 1.8 and 2.7 
seconds after engine start. In this case, the anomaly was indicative of a 
slower than normal Oxidizer Pre-Burner (OPB) ignition. The SSME can, and 
did, start successfully under these conditions, so this single anomaly 
would not warrant shutting down the engine or any other real-time 
corrective action. After post test evaluation, an engineer rnight 
recommend an increase in the OPB oxidizer valve open loop command for 
the next test in order to allow more oxidizer Into the OPB chamber during 
start. Definition of significant anomalies during the start transient will 
require careful evaluation by experienced SSME test operations and 
performance analysis engineers. 

However, failures during the start transient can be expected to show large 
deviations from the nominal range as illustrated by the following test 
case. On October 3, 1978 SSME #0006 experienced an anomaly during its 
start transient. The test was terminated at +2.36 seconds by a low 
chamber pressure confirmation redline and a HPFT discharge temperature 
redline. Analysis of test data indicated that the HPFP speed builc, up wa ® 
slow and the oxidizer dome primed early causing an abnormally LOX rich 
condition during engine start. Figure 5-18 Indicates this anomaly. e 
shaded region indicates the nominal max/min envelope determined from 
237 tests The solid line and small dashed line are the measured values 
for two successful tests of engine #0006. The large dashed line indicates 
the measured value for the test during which the failure occurred. In the 
failure test, the HPFP speed is well out of the nominal range about 0.75 
seconds before the engine was cutoff. A more complete set of data plots 
for this test series is provided as Attachment 9. 

Two independent conditions were found that contributed to the LOX rich 
atmosphere in the engine. The main oxidizer valve (MOV) had a 
manufacturing problem. The MOV valve/actuator was mislocked open 
resulting in the ball valve being open 3.5% more than normal, causing the 
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FIGURE 5-17 FLEETWIDE OPERATING ENVELOPE - START TRANSIENT 
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FIGURE 5-18 FLEETWIDE OPERATING ENVELOPE - ANOMALY INDICATION 


early prime in the LOX dome (excessive oxidizer present at ignition). The 
HPFP was late in breaking away due to binding of the third stage impeller 
with the deteriorated repaired area in the high pressure orifice region of 
the balance piston cavity and interstage seal rubbing. 

Post-test inspection revealed damage to the HPFTP turbine and the hotgas 
manifold liner (on the fuel preburner side) and the main injector (136 
injector elements eroded between faceplates). Teardown inspection of 
the engine disclosed the HPFTP turbine had sustained damage from burning 
and erosion. A housing repair in the area of the high pressure balance 
piston orifice had failed and heavy rubbing of the second stage interstage 
seal had occurred. 

Based on the anomalies observed, this test could have been confidently 
cutoff earlier using the fleetwide nominal envelope approach to anomaly 
detection. 


5.9 POWER LEVEL DEPENDENT ALGORITHMS 

The behaviors of a number of SSME performance parameters are highly 
dependent on engine power level. Parameters included in this list are 
turbine discharge temperatures, other turbopump inlet and discharge 
temperatures and pressures, turbopump speeds, propellant flow rates, and 
valve positions. Using relations between these parameters and engine 
power level, algorithms based on power level can be derived for use in 
calculating or predicting expected, measured parameter behaviors and in 
inferring values for parameters which are not measured. 

Various forms of these power level dependent algorithms are successfully 
being utilized throughout Rocketdyne to perform off-line analysis as well 
as real-time analysis of SSME data. Two algorithm forms of particular 
interest are reasonableness curves and influence coefficients. 

Reasonableness curves are empirically derived algorithms, based on a 
third-order poly nominal fit of SSME hot-fire test data as a function of 
power level. They are currently included in the SSME Data Reduction Model 
as a method of detecting sensor failures by performing a reasonableness 
check of input data derived from sensor values. The reasonableness check 
entails comparing measured parameters to calculated parameters using a 
reasonableness band. While suited for their intended purpose, 
reasonableness curves are relatively unsophisticated compared to 
influence coefficients. 
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Like reasonableness curves, influence coefficients generated by the SSME 
Power Balance Model, can be used to estimate parameter magnitudes. 
However, the accuracies of these parameter value estimates are greatly 
improved by the ability of the influence influence coefficients to adjust 
operating parameters for changes in engine performance caused by engine 
inlet condition changes. The influence coefficients define adjustment, 
to the nominal power level dependent estimate to account for off-nominal 
inlet conditions to a system or subsystem. Additionally, influence 
coefficients have the capability of being tailored to a specific engine 
when required. In this ype of application, they serve as both an engine- 
specific and power-level-dependent calculation and prediction method. 
The greater accuracy provided by the influence coefficient method allows 
a tighter band to be considered when evaluating sensor data. 

Figure 5-19 is a comparison of measured and predicted values of HPOTP 
turbine discharge temperature during test 901-516 on engine number 
2105. Presented in the figure are: 1) plots of the measured parame er 

values 2) parameter values predicted solely with a power leve 
dependent algorithm and 3) parameter values predicted with the same 
power level dependent algorithm combined with adjustments for varying 
inlet conditions. The inlet conditions adjusted for in this case were LO 
and fuel engine inlet pressures and temperatures. LOX and fuel tan 
repressurization flow rates, and engine mixture ratio. 

The figure indicates that the power level dependent algorithm predicted 
the correct relative magnitude of the parameter, but the failure o 
account for parameter variations due to changes in inlet conditions 
greatly reduced the prediction accuracy. The prediction accuracy was 
considerably increased by adjusting for inlet conditions. ® ir | e 

condition adjustments act to reduce the deviation from the predicted 
value and allow for tighter envelopes to be used for flagging abnorma 
parameter values. It should be noted that the algorithms used to generate 
Figure 5-19 were based on SSME fleet averages. Much more accurate 
predictions could have been made by instead basing the algorithms on 
earlier tests of engine 2105. 


The advantages of utilizing influence coefficient analysis in a real-time 
health management system include: 1) influence coefficients are a as 

and relatively accurate means of predicting operating parameter behavior, 
and 2) they are relatively simple to develop, to tailor to specific 
hardware, and to implement. The only significant disadvantage is that 
influence coefficients provide a simplified estimate of the nomma 
value and some subtlties of engine operation may not be accounted for. 
When combined with an appropriate operating envelope, influence 
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coefficient based sensor data checking and anomaly identification provide 
a very effective tool for real-time health management of rocket engines. 
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FIGURE 5-19 INFLUENCE FACTOR ESTIMATE CORRECTION - HPOT DS TMP 



5.10 VIBRATION MONITORING 


Excessive vibration provides independent validation for failures indicated 
by a performance anomaly and may provide the only early indication for 
hard component failures in the turbopump. Excessive vibration is an early 
indication for a number of failure modes, most notably bearing failures, 
loss of turbopump balancing force, turbine blade fractures, and internal 
rubbing. The failure modes highlighted in Table 5.8 are expected to 
include abnormally high vibration levels as part of their failure signature. 
In addition, of 19 SSME hot-fire failures with redline cutoffs, 4 were 
cutoff by vibration redlines before the performance redlines were 
exceeded (Table 5.9). Therefore, monitoring for excessive vibration can 
be expected to significantly increase the confidence and detectability of 
turbopump failures. 

Currently, vibration is monitored by both the redline and FASCOS systems 
on the SSME. Both of these systems monitor relatively broadband 
vibration spectra and operate as simple redline cutoffs. "Cross talk" 
between components, an excitation caused by vibration of another 
component, make fault isolation virtually impossible. While some utility 
is gained by simply knowing the engine level vibration, validation of a 
failure indicated by performance anomalies is enhanced by identification 
of an isolated source of vibration. 

A certain degree of fault isolation (at least to the level of isolating the 
responsible turbopump) can be obtained by monitoring a narrow frequency 
band centered around the synchronous frequency of each turbopump. 
Justification for this approach lies in the fact that failures indicated by 
vibration ultimately involve an imbalance in the pump rotating assembly, 
resulting in a fundamental vibration at the pump synchronous frequency. 
Real time, dynamic tracking filters (such as those developed by 
Rocketdyne, under IR&D, for the bearing monitor program) have 
demonstrated tracking and monitoring of pump synchronous frequencies 
for real-time SSME data. 

Nominal vibration levels can be defined through evaluation of the spectra 
measured for SSME hot-fire tests. The ADDAM (Automated Digital Data 
Analysis Machine) system is capable of performing the vibration analysis 
necessary to characterize these spectra as illustrated by Figures 5-20 
and 5-21. Figure 5-20 is the vibration power spectrum indicated by a 
HPFP radial accelerometer for a specific 
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TABLE 5-8 FAILURE MODES EXPECTED TO CAUSE EXCESSIVE VIBRATIONS 
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TABLE 5.9 OBSERVED SSME REDLINE SHUTDOWNS 


(1) SHUTDOWN REDLINE 

NO. TESTS 

HPFT DS temp 

8 

HPOT DS temp 

3 

PBP rad accel 

2 

HPOTP accel 

1 

HPFTP rad accel 

1 

HPFP speed 

1 

HPOTP secondary seal cavity pres 

1 

HEX DS pres 

1 

Elevation J minimum pres 

1 
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FIGURE 5-21 PBP ACCELEROMETER POWER SPECTRAL DENSITY - TIME DEPENDENT 


time slice. The HPFTP synchronous frequency (about 600 Hz) clearly has 
the largest amplitude. Figure 5-21 shows the vibration power spectrum 
for the HPOP with time dependent information shown by using a time scale 
along the Y-axis and overlaying the vibration data for each time slice. 
Again the HPOTP synchronous vibration is clearly visible. 


5.11 CONCLUSIONS 

No single failure detection technique evaluated provides adequate 
protection for the engine. However, many of the techniques have features 
that would be expected to significantly improve the existing protection 
system and a synthesis of applicable features provides the basis of the 
HMSHE framework described in Section 6. 
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SECTION 6 - HMSRE FRAMEWORK 


Key features of the failure detection methods evaluated in Section 5, 
(those deemed to have the highest likelihood of success, in a near-term 
application) were combined to produce the HMSRE framework described in 
this section. These features include the use of: parameter correlation, 

operating envelopes, influence coefficients, power-level dependent 
algorithms, vibration monitoring, and plume spectometry. The framework 
is compatible with the SSME Block-1 1 controller, is readily adaptable to 
flight (most of the monitored parameters are existing Block-ll 
measurements), and can be implemented on a test stand within 5 years. 
Additionally, it is anticipated that the HMSRE framework can be 
implemented in the processing hardware currently under development for 
SAFD on the SSME TTBE program. 

Two general approaches were considered for the HMSRE framework. One 
approach addressed a small set of failure modes resulting in fairly exact 
identification of specific failures before issuing a cutoff command (e g. 
bearing signature analysis - Section 5.4). Sensitivity to and 

identification of specific failure modes has the benefit of providing a high 
degree of confidence that a failure is occurring, but lacks adequate failure 
coverage in that only a handful of failure modes are detectable. The 
alternate approach is to monitor for significant engine level anomalies. 
This provides far greater failure coverage but does not identify which 
specific failure mode is occurring. 

Detailed failure or degradation information is necessary for an adaptive or 
maintenance monitoring system, but a safety system needs only to 
identify that a failure is occurring. In a safety system, detailed failure 
information serves only to marginally increase confidence in the failure 
detection. For example, if the HPFT discharge temperature suddenly 
increases by 150 R and the shaft speed is 1000 rpm above normal, 
something has probably failed within the engine. Additional monitoring to 
determine the exact cause of the anomaly only delays the inevitable cutoff 
command. Therefore, it was decided that monitoring for significant engine 
anomalies better met the program goal of minimizing engine damage since 
it provides earlier cutoff and greater coverage of failure modes, including 
those never before observed and simultaneous, multiple failures. Failure 
coverage is further increased by defining an HMSRE framework addressing 
all phases of engine operation (except the cutoff transient). This includes 
the start transient, mainstage steady state operation at all power levels, 
and power transients. The cutoff transient is not addressed since an 
HMSRE cutoff command during this phase would have no effect. 
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Initially, a general strategy was defined for monitoring significant engine 
anomalies. The strategy selected is based largely on the parameter 
correlation schemes shown to have promise in Section 5.3. Combinations 
of individual, weighted measurement deviations, correlated to provide 
either an engine level anomaly value or indications of a specific 
degradation such as a loss of HPFP efficiency, are used as engine failure 
indicators. Engine anomaly thresholds are set for each parameter to 
define significant anomaly limits. A key departure from the method 

described in Section 5.3 is the definition of an overall engine anomaly 
parameter. This parameter is not related to a known degradation, but 
instead is intended to indicate general engine status and detect a wide 
range of engine failures. Special classes of engine failures can be 
detected earlier by monitoring losses in HPFTP efficiency, losses in 
HPOTP efficiency, and losses in MCC combustion efficiency. Each of these 
losses is indirectly observable using the correlations identified in Section 
5.3 and are implemented as part of the framework. 

This approach is in marked contrast to existing failure detection schemes 
which rely on definition of anomalies for individual measurements. Since 
the cutoff decision is based on an engine level parameter, rather than a 
collection of individual anomalies, confidence that a failure has occurred 
should be increased. For example, if increases are observed in a set of 
related measurements (e.g. HPFTP turbine discharge temperature, speed, 
FPOV position) the confidence that this represents an engine anomaly, and 
not a collection of spurious sensor indications, is significantly higher 
than if increases are observed for three "random" measurements. 
Definition of engine level parameters also allows the HMSRE to detect a 
wide variety of SSME early failure indications. For example, the first 
indication of a failure may be a large deviation in only a few 
measurements or it may be subtle changes in a relatively large number of 
measurements. Since the HMSRE is not dependent on individual 
measurement anomalies, a group of subtle changes is just as detectable as 
a few major deviations, even if some of the measurements never deviate 
enough to be considered "anomalous". This capability is especially 
attractive for relatively slow failures in which many measurements 
generally drift off nominal. Slow failures are of particular interest to 
this program since early detection of these failures is expected to 
significantly reduce the ensuing damage. Additionally, since the engine 
anomaly parameters are determined from contributions of multiple 
measurements, the system is especially tolerant of failed sensors. This 
is a critical feature for any SSME failure detection scheme since failed 
sensors are much more common than other types of engine failures. 
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Other elements of the framework were defined to support the engine 
anomaly detection strategy shown in Figure 6-1. Details of this 
framework are described in three parts below: 1) data acquisition, 2) 
correlation to engine failures, and 3) normalized measurement deviations. 

The framework is easily expanded to include additional sensor inputs and 
correlated parameters. 
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FIGURE 6-1 HMSRE FRAMEWORK OVERVIEW 










6.1 DATA ACQUISITION 


The first step in defining the engine level anomaly strategy for the HMSRE 
framework was selection of the individual measurements to be monitored 
and identification of related engine and facility sensors. 

A key issue involved in selection of individual measurements is the 
number monitored. If too few measurements are monitored, the HMSRF 
system could miss the earliest indications of some failures. If too many 
measurements are monitored, the robustness and/or sensitivity of the 
system will be degraded because of the random variations inherent in each 
of the measurements. Values for correlated parameters would ideally be 
0.0 for nominal test cases, but normal variations in individual 
measurements result in a "background" level for the parameter. As more 
measurements are monitored, this "background" level is increased. 
Increasing the "background" level has one of two effects: 1) if the engine 
anomaly threshold is held constant, the probability of false indications is 
increased (degraded robustness), or 2) if the threshold is increased to 
maintain robustness, larger measurement changes are required to indicate 
an anomaly (degraded sensitivity). Therefore, individual measurements 
were limited to those with the highest likelihood of early failure 
indications. 

Key selection criteria for the individual measurements were: 

1) strong correlation to multiple engine failures 

2) early failure indication 

3) sensor availability 

4) sensor redundancy 

5) flight applicability 

6) observability 

Correlation of measurements to multiple engine failures is determined 
through Rocketdynes SSME test operations experience and through 
evaluation of the SSME failure history. A summary of the sensor 
anomalies recorded for 21 SSME failures is shown in Figure 6-2. As an 
example, Figure 6-2 indicates that the HPOT Discharge Temperature (seen 
in 21 of 21 failures) is a better HMSRE candidate than the HPOT Primary 
Seal Drain Temperature (seen in 2 of 21 failures). 
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FIGURE 6-2 OBSERVED SENSOR INDICATIONS FOR SSME FAILURES 










Earliness of failure indications was estimated by Rocketdynes SSME test 
operations personnel and by evaluation of the SSME failures. Figure 6-3 
indicates the time before redline cutoff that each sensor first indicated 
an anomaly. The data indicates that the turbine discharge temperatures, 
for example, are among the earliest failure indicators for most of the 
failures evaluated. 

Sensor availability, redundancy, and flight applicability are addressed by 
emphasizing existing SSME flight and facility measurements (Attachment 
10). Additional measurements, such as the plume spectrometer, were 
individually evaluated by Rocketdynes advanced instrumentation 
personnel. 

Observability of measurements is determined by SSME engine balance 
model results (shown in Attachment 4), SSME system level evaluation, and 
the SSME failure history. For example, the direct result of a fuel leak 
should be a change in the MCC mixture ratio (and temperature) but the 
SSME control system maintains mixture ratio constant, making this 
indicator unobservable as shown by the SSME engine balance results for an 
engine with a fuel leak. 

Based on evaluation of these criteria, the following measurements were 
selected for the HMSRE framework: 

1. HPFT Discharge Temperature 

2. HPOT Discharge Temperature 

3. HPFT Delta Pressure 

4. HPOT Delta Pressure 

5. MCC Pressure 

6. HPFP Speed 

7. HPOP Speed 

8. FPOV Position 

9. OPOV Position 

10. HP FTP Vibration 

11. HPOTP Vibration 

12. Plume Contamination 


The measurements selected are mainly existing SSME block-ll controller 
measurements, thereby ensuring that the HMSRE is suitable for flight 
application. Three measurements that are expected to enhance the overall 
performance of the HMSRE are not included in the block-ll data set: the 
oxidizer preburner pressure (measured by the facility), the HPOP speed 
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FIGURE 6-3 SSME FAILURE HISTORY - EARLY INDICATIONS 







(obtained from the synchronous vibration indicated by HPOTP 
accelerometers), and plume contaminants (new measurement). 

The majority of selected measurements are turbopu«np measurements. 
This was a natural consequence of the selection process (which heavily 
weighted proven observability) since other failure indications tend to be 
obscured by the SSME closed loop control system. Therefore, the 
observable failure indications are those that reflect the control system 
response to a degraded engine, forcing one or both turbopumps to operate 
at off nominal values. An exception to this rule is the MCC Pressure, 
whose value is actively controlled by the SSME block-ll controller. 
Observed changes in this parameter would indicate serious problems with 
the engine or a loss of control functionality. 

The HMSRE measurement set is completed by the inclusion of several 
parameters known to indicate failures that might not effect the 
performance parameters. Turbopump vibration (in a narrow band centered 
around the pump synchronous frequencies) is included based on the utility 
of these measurements shown in Section 5.10. Plume monitoring has less 
of a historical basis but has the potential for earlier indications of 
several failure modes (Section 5.5.1) including combustion device failures 
which provide little or no early warning in SSME performance 
measurements. 

Figure 6-4 shows the source of data for each of the individual 
measurements and summarizes the data acquisition part of the 
framework. Table 6.1 indicates the available redundancy for each of the 
measurements selected. 


6.2 CORRELATION TO ENGINE FAILURES 

Individual measurements are correlated to engine failures through the 
definition of engine anomaly parameters as described earlier. Since only 
the differences in these parameters are used to indicate failures, the 
deviations of individual measurements, rather than their absolute values, 
are used to estimate changes in the correlated parameters. The individual 
measurements are normalized to reflect confidence in the measured 
deviations. 

The method for correlating individual measurements to engine parameters 
is shown in Figure 6-5. Each normalized measurement is weighted. The 
sum of the weighted measurements provides estimates of engine anomaly 


90 



k 


< 

CD 

< 

CD 

CL 

1 

CL 

i 

-a 

I- 

1- 

H 

1- 

ns 

2 

<x> 

a> 

co 

co 

<n 

cd 

“53 

“aj 

CL 

Q 

Q 

Q 

Q 

Q 

Q 

£ ^ 

t 

t 

i — 

O 

H- 

o 

t 

1— 

O 

o S: 

CL 

CL 

CL 

CL 

CL 

a. 

O CL 

X 

X 

X 

X 

X 

X 

S x 


< 

CD 

< 

CO 

CL 

i- 

H 

h- 

1- 

X 

co 

Q 

CD 

Q 

cn 

Q 

co 

Q 

o 

p x 

(■— 

LL 

K~ 

LL 

\- 

o 

O 

CL a_ 
CD ^ 

X 

CL 

CL 

CL 

CL O 

X 

X 

X 

X 

LL S 


o 2: 


"O 

© — : 

2 “35 


£ 

Q_ O Q_ 

its o 


.g 

> _ 
Q- 05 
h— O 

O fo 

Q. S 
X -S 


^2 5 

> > 

g= £ 

LL O 

QL CL 
X X 


_ t= 
® <0 
= c 
J2 o 
x o 


91 


FIGURE 6-4 HMSRE DATA ACQUISITION SYSTEM 



TABLE 6.1 HMSRE BASELINE MEASUREMENTS 


Measurement 

Calc. 

Em 

CADS 

Facii. 

New 

HPFT DS Tmp 


2R 

2R 

— 


HPOTDSTmp 


2R 

2R 

— 


HPFT dP 

X 





FPB Pc 


S 

S 

s 


MCC HG Inlet Pr 


S 

s 

S 


HPOTdP 

X 





OPB Pc 
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MCC HG Inlet Pr 


s 

s 
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MCC Pc 


2R 

2R 

— 


HPFP Speed 


S(2) 

S(2) 
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HPOP Speed 

X 





HPOP Rad. Accel. 


3R* 

3R* 

7R(a) 


FPOV Position 
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— 
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S(2) 
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— 


HPFTP Vibration 


3R 

3R 
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HPOTP Vibration 


3R 

3R 
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Plume Contaminants 


— 
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FIGURE 6-5 ENGINE ANOMALY CORRELATION STRATEGY 
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parameters. A cutoff threshold, above the noise level observed for 
nominal tests, is set for each parameter. The engine would be sent a 
cutoff command if any of these thresholds is exceeded. Each measurement 
is normalized to indicate the number of confidence limits (a limit related 
to the confidence in the measured deviation - Section 6.3) the measured 
value deviates from an estimated nominal value. Correlated parameters 
are defined to be the weighted sum of some or all of these normalized 
measurements. 

The basic failure indicator is a general anomaly parameter defined to 
indicate overall engine status. The baseline correlation for this 
parameter is a simple sum of all normalized measurements. This 
parameter is sensitive to any failures causing deviations in one or more 
HMSRE measurements. For example, if all the weighting factors are set to 
1.0, a correlated value of 5 would indicate that: 1) one sensor is off 
nominal by 5 times the confidence limit set for that parameter, 2) five 
sensors are each off nominal by 1 times the confidence limit, or 3) some 
other combination of sensor values are resulting in a combined off 
nominal value of 5. In other words, the correlation strategy indicates a 
level of confidence that an engine failure is occurring. The confidence can 
be increased by a few individual indicators reading far from nominal, or by 
many indicators simultaneously drifting off nominal by a lesser amount. 
This parameter is expected to detect most SSME failures and evaluation of 
the SSME failure history indicates that 18 of 22 past failures would have 
been detected by this parameter. 

Three additional correlation parameters, especially sensitive to the 
classes of failures indicated, are included in the baseline HMSRE 
framework: Loss of HPOTP efficiency, Loss of HP FTP efficiency, and Loss 

of MCC combustion efficiency. These parameters have a lower noise level 
than the general anomaly parameter since only specific measurement 
deviations are included in the weighted sum. This enables a lower 
threshold and corresponding earlier cutoff. 

A preliminary set of weighting factors for these special cases can be 
determined using the SSME engine balance model. The model was run for 
each special case. The results are included as Attachment 4 and are 
summarized in Table 6-2. Table 6-2 indicates the direction and percent 
change observed for each of the HMSRE parameters. As an example, the 
Loss of HPFTP Efficiency set of weighting factors are qualitatively shown 
in Figure 6-6. MCC Pc, OPOV position, and HPOP speed have weighting 
factors of 0 since very little relative change is expected for these 
parameters. The anomalies observed for three SSME failures that resulted 
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TABLE 6.2 


NORMALIZED DEVIATIONS FOR FAILURE CORRELATIONS 


Engine 

Parameters 

Loss of 
Combustion 
Efficiency 

Loss of 
HPOP 
Efficiency 

Loss of 

HPFP 

Efficiency 

HPFTDST 

-0.20 

=0.18 

+0.79 

HPOT DS T 

+1.00 

+0.91 

-0.53 

HPFT Delta P 

+0.10 

+0.09 

+0.68 

HPOT Delta p 

+0.65 

+0.59 

+0.21 

HPFP-N 

+0.10 

+0.09 

+0.21 

HPOP-N 

+0.60 

+0.00 

-0.00 

FPOV 

-0.50 

+0.09 

+1.00 

OPOV 

+0.30 

+1.00 

-.05 

MCC Pc 

0.00 

.1 

0.00 

0.00 
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Loss of HPFP 

Efficiency Test 901-364 Test 902-249 Test 901-410 
Correlated I I I I 

Anomalies t-185 t-117 t-7 t-130 t-101 t-76 c/o - 490 c/o - 345 
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FIGURE 6-6 RELATIONSHIP BETWEEN ANALYTICAL CORRELATION FACTORS AND 

OBSERVED ANOMALIES 















in a loss of HPFTP efficiency are also shown and correlate well with the 
expected parameter indications. 


6.3 NORMALIZED MEASUREMENT DEVIATIONS 

The approach used to normalize individual measurement deviations is 
shown by Figure 6-7. For each measurement, an expected nominal value is 
defined. The difference between the actual measurement and the nominal 
value indicates the magnitude and direction of measured deviations. The 
normalized value is defined by dividing the difference between measured 
and nominal values by the associated confidence limit. 

Using the approach outlined above, normalizing measurement deviations 
is reduced to a two part problem: 1) definition of a nominal value, and 2) 
definition of a confidence level. 

Based on the evaluation of detection techniques, three approaches were 
selected to estimate the nominal value of each measurement: 1) fleetwide 
operating envelopes, 2) steady state initial values, and 3) power 
dependent values. Each technique is applicable to a different part of the 
SSME operating profile and regions of applicability are shown in Figure 6- 
8. During transients and the initial seconds of the first steady state, 
fleetwide operational envelopes provide the most useful estimate of 
nominal measurements (Section 5.8). The first few seconds of 
subsequent steady states are more accurately estimated by predicting the 
value based on the values measured during the initial steady state and the 
scheduled power change (Section 5.9). During the first few seconds of 
steady state operation, an average is taken and serves as an accurate 
estimate for the remainder of steady state (Section 5.2). Details about 
each of these estimation techniques can be found in the referenced 
sections. 

The second requirement is definition of confidence limits. The confidence 
limit can be thought of as the limit beyond which an engine expert would 
say that a particular measurement is indicating an anomaly. Therefore, 
a normalized value of 1.5 would correspond to a high degree of confidence 
that a measured deviation is significant. On the other hand, a value of 0.5 
would indicate only that the measured deviation could be an indication 
that an engine level parameter is changing.. The confidence limits are 
different for each parameter and are expected to change during transients. 
However, the confidence limits are defined such that the numerical values 
of the anomaly indications are always consistent (i.e. value=1.0 indicates 
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FIGURE 6-7 NORMALIZED MEASUREMENT DEVIATION APPROACH 
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FIGURE 6-8 NOMINAL VALUE ESTIMATION SCHEDULE 




that a deviation is significant). Quantification of the confidence limits 
will require a thorough sensitivity study based on SSME test histories and 
models. 


6.4 FRAMEWORK CONCLUSIONS 

The framework described in this section is composed of well established 
failure detection elements, applicable to SSME failures, and compatible 
with implementation in SAFD hardware currently under development (see 
Attachment 11). This represents a low risk, high payoff strategy for near 
term implementation. 

The framework represents a system that is compatible with the Block- 1 1 
controller and is easily extended to flight applications. It is sensitive to 
a wide variety of failure indications, provides early indications of engine 
failures, is tolerant to sensor failures, and allows a high degree of 
confidence in engine cutoff commands. 
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7.0 - EFFECTIVENESS EVALUATION 


A measure of the HMSRE effectiveness is obtained by comparing key 
framework characteristics with those of a baseline detection system, in 
this case the SAFD system. The effectiveness of the HMSRE framework is 
evaluated based on four criteria important to rocket engine failure 
detection systems: I) Failure Coverage, 2) Engine Phase Coverage, 3) 
Earliness of Indication, and 4) Degradation Due to Sensor Failures. A 
summary of the effectiveness evaluation is shown in Table 7.1. 


Failure Coverage 

The failure coverage of the HMSRE was characterized by two different 
methods: evaluation of 28 SSME incident tests and determination of 
detectable failure modes. 

Twenty eight SSME incident tests were identified and summarized in the 
SAFD phase II report. The tests covered a wide variety of engine failures 
and are assumed to be representative of SSME failure indications. These 
tests were used to estimate the failure coverage of both the SAFD system 
and the HMSRE framework. For each of the tests listed in Table 7.2, The 
maximum number of sensors indicating an anomaly was determined to 
characterize the SAFD system and the maximum value of the HMSRE basic 
algorithm was calculated to characterize the HMSRE framework. 

Of the 28 tests, 4 lasted the program duration and resulted in only minor 
damage to the engine. These tests are assumed to be near (but slightly 
below) the threshold of damage sufficient to warrant engine shutdown. 
Therefore, of the 28 incident tests, 24 required cutoff and 4 did not. 

To estimate the cutoff criteria for the HMSRE framework, the incident 
test data was graphically represented in Figure 7-1. For each test, the 
maximum HMSRE basic algorithm value is plotted along the Y-direction. 
The four program duration, minor damage tests (assumed not to warrant 
engine cutoff) are represented by empty boxes. Based on these data, a 
HMSRE cutoff threshold of 6.0 was selected for evaluation purposes. 

Using a threshold of 6.0, 19 (of 24) tests would have been cutoff early - a 
demonstrated failure coverage of 79%. Equally important, none of the 
program duration, minor damage tests would have been cutoff. The failure 
coverage demonstrated for the HMSRE is comparable to that expected with 
SAFD (18 of 24 tests cutoff). 
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TABLE 7.1 HMSRE EFFECTIVENESS SUMMARY 



SAFD 

HMSRE 

r ailure Coverage (based on 28 incident tests) 

Number of tests correctly c/o early: 

18/24 

(75%) 

1 9/24 
(79%) 

Number of tests erroneously c/o early: 

0/4 

0/4 

: ailure Coverage (based on ranked failure modes) 

n/a 

55% 

Engine Phase Coverage 

Start Transient 

no 

yes 

Steady State 

yes 

yes 

Power Transient 

no 

yes 

Cutoff Transient 

no 

no 

Earliness of Indication (time before Redline c/o) 

Test 901-307 

20.0 

31.5 

Test 902-198 

3.1 

3.4 

Test 902-249 

61 

121 

Degradation due to sensor failure 

slight 

slight 
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TABLE 7.2 SSME TEST HISTORY SUMMARY 


TEST 

NUMBER 

MAXIMUM SAFD 
ANOMALIES 

MAXIMUM HMSRE 
MAGNITUDE (est *) 

MINOR 

DAMAGE 

PROGRAM 

DURATION 

SF6-01 

5 

56.2 



SF10-01 

5 

14.0 



750-148 

1 2 

69.1 



750-175 

8 

133.4 



750-259 

1 2 

103.9 



901-110 

1 

2.2 



901-136 

2 

4.9 



901-173 

1 1 

25.0 



901-183 

2 

2.2 

• 


901-225 

8 

46.4 



901-284 

6 

126.2 



901-307 

7 

9.6 



901-331 

1 3 

66.8 



901-340 

9 

22.2 



901-346 

6 

1 1 .1 


• 

901-362 

1 

5.1 

• 

• 

901-363 

2 

5.2 

• 

• 

901-364 

7 

18.3 



901-41 0 

3 

9.8 


• 

901-436 

8 

52.1 



901-485 

2 

4.6 

• 

• 

902-095 

0 

0.0 



902-1 12 

7 

60.6 



902-1 18 

8 

24.9 



902-120 

1 

2.6 



902-198 

1 2 

82.4 

• 


902-209 

1 

2.9 

• 

• 

902-249 

6 

27.4 




* estimated using SAFD sigma values and all sensor weights = 1.0 
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HMSRE MAGNITUDE - BASIC ALGORITHM 


KEY : • redlin® do, major damage O redline do, minor damage 

■ program duration, major damage □ program duration, minor damage 
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TEST NUMBER 

FIGURE 7-1 PRELIMINARY HMSRE SENSITIVITY STUDY 
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The false alarm rate is expected to be low since the cutoff is 3 times the 
nominal value and even tests indicating some minor damage remain below 
the threshold. 

Evaluation of the incident tests indicate good failure coverage and a high 
degree of failure detection robustness. 

The second method used to estimate the failure coverage was to identify 
failure modes among the 45 most likely to occur (according to the Task 1 
ranking) detectable by the HMSRE framework. Detectability was assumed 
for failure modes expected to affect at least two different HMSRE 
measurements (i.e. HPOT discharge temperature A & B count as 1 
measurement). The percentage of failure modes detectable with the HMSRE 
was estimated by using the figure of merit values as rough estimates for 
the relative likelihood of each failure mode occurring. This approach 
indicates that about 55% of all criticality 1 engine failures should be 
detectable. The assumptions and approximations used in the above failure 
coverage assessment reflect the tendency towards detectability for each 
failure mode. 


Engine Phase Coverage 

The HMSRE framework addresses all phases of engine operations (start 
transient, mainstage steady state, power transients) except the cutoff 
phase. 

Earliness of Indication 

The earliness of failure indication is approximated by evaluating three 
specific test cases: 901-307, 902-198, and 902-249. The results of these 
evaluations are shown in Figures 7-2, 7-3, and 7-4. A comparison of 
cutoff times is shown in Figure 7-5. The HMSRE could have provided an 
earlier cutoff, as compared to SAFD or Redlines, in all cases. 

For test 902-198, the small amount of time gained by using the HMSRE 
(0.3 sec) probably would not sign*f icantly reduce the engine damage as 
compared to SAFD cutoff. 

Test 901-307 shows the HMSRE cutoff 11.5 seconds before the SAFD 
cutoff. It is likely that significant engine damage occurred during this 
time interval. 
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Test 902-249 shows the HMSRE cutoff at t-330 and the SAFD cutoff at 
t-390 . Examination of the test summary indicates that the engine was 
slowly degrading until a rub ring failed at t=374. Following failure of this 
ring, the engine degradation accelerated and spread to other components. 
Therefore, significant engine damage clearly could have been avoided if 
the engine were cutoff at the HMSRE threshold. 


Degradation . Due to S ensor Failure 

Insensitivity to sensor failures is crucial to a rocket engine failure 
detection system. Sensors fail at a much higher rate than any other engine 
component and a detection system dependent on any single sensor is likely 
to find itself "blind" when that sensor fails. The HMSRE estimates 
anomalies and degraded conditions based on the influences of 14 
individual measurements. Therefore, the loss of any sensor (or several 
sensors) slightly degrades the overall failure indication but does not 
preclude detection. 
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Nominal Test #1 
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FIGURE 7-2 HMSRE EFFECTIVENESS - TEST 901-307 



FIGURE 7-3 HMSRE EFFECTIVENESS - TEST 902-198 
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FIGURE 7-4 HMSRE EFFECTIVENESS - TEST 902-249 
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FIGURE 7-5 COMPARISON OF HMSRE AND SAFD CUTOFF TIMES 


SECTION 8 - BREADBOARD IMPLEMENTATION PLAN 


A 24 month program is recommended for the implementation of a 
breadboard version of the HMSRE. This will provide an HMSRE ready for 
use in conjunction with a Space Shuttle Main Engine (SSME) when it is 
being "hot-fired" on a test stand. It is expected that the HMSRE will 
provide additional protection to the engine during test firing thereby 
providing a higher probability of engine and/or major component survival. 

This plan provides an overview of how to accomplish the required work. It 
includes a program logic diagram, a program WBS chart, a program time 
schedule, a program manloading figure and an implementation plan 
narrative. This narrative includes estimated manloading, required test 
facilities, overall plans for testing and a technology program to fill near 
term technology voids. 

8.1 PROGRAM LOGIC 

The technical logic flow for the program (Figure 8-1) describes the task 
sequence and interrelationships for the planned work. Information flow 
and review points are indicated. This provides a pictorial description of 
the flow of work that complements the more structured WBS and schedule 
charts. 

Rocketdyne plans to base the HMSRE breadboard implementation in 
software development and validation efforts, ultimately for 

implementation on the Space Shuttle Main Engine (SSME) Technology Test 
Bed (TTBE). The breadboard implementation of the HMSRE will be on 
computer/workstation hardware which is available at Rocketdyne. The 
program is divided into three sequential software development and test 
related tasks, and a parallel technology task. 

In Task 1 (Preliminary System Definition), preliminary algorithms for 
correlating failure data from multiple sensor streams are developed. 
Nominal value estimation techniques will be defined, and a preliminary 
database of engine test information which will be used for HMSRE testing 
will be established. Preliminary confidence limits and weighting factors 
will be established, and the preliminary algorithms will be coded, with a 
preliminary system testing period which overlaps the algorithm coding 
effort to ensure that the HMSRE works successfully in a preliminary state 
prior to the system development task. The output of this task will be a 
set of runs (approximately 12) which indicate the length of time before 
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FIGURE 8-1 PROGRAM LOGIC 


























redline cutoff which the HMSRE would signal for engine shutdown. These 
results will be presented at LeRC as part of the Task 1 review. 

System Development (Task 2), will produce a comprehensive HMSRE, with 
a full complement of engine test data for HMSRE testing and a full set of 
algorithms. This task starts with algorithm and full engine test database 
development. Confidence limits and weighting factors will be defined and 
implemented in the HMSRE algorithms. Inlet condition correlation 
techniques will be established and then the algorithms will be coded. The 
HMSRE will be tested and a sensitivity study will be conducted in parallel 
with this testing. The hardware for Task 2 activities will be a 
computer/workstation at the Rocketdyne Canoga Park facility. The 
system development efforts are expected to incorporate coding techniques 
which will facilitate code debugging and prove HMSRE functionality. A 
Task 2 review will be held at LeRC at the conclusion of Task 2. 

Task 3, System Refinement and Validation will focus on adding fidelity to 
the HMSRE through the refinement of the nominal value estimator, 
confidence limits and weighting factors. Additionally the HMSRE code 
will be "stripped" of software development "hooks" and messages, to 
increase speed. At this stage, the HMSRE can be installed on the SAFD 
development hardware at Rocketdyne’s Canoga facility. By this means, any 
bugs in the system can be worked out on hardware which is configured to 
behave like the TTBE implementation hardware. Validation testing will be 
conducted at Rocketdyne and utilize the full engine test database. 
Successful SSME test data will be used to test for erroneous cutoff. 
Anomalous test data will be used to "trigger" the HMSRE, and engine 
simulations will be used to test HMSRE on failure modes that have not 
occurred or have not been recorded. The HMSRE can then be installed on 
the SAFD hardware at the TTBE facility. Here it is planned to first 
implement the HMSRE as a warning device to the test operator where a 
noise and/or visual indication would be used to quickly signal pending 
mishaps. Subsequently the HMSRE will be wired to the engine shutdown 
interface to initiate TTBE shutdown as required. 

Three technology voids (elements expected to enhance the overall HMSRE 
effectiveness but not currently available for the SSME) will be addressed 
in Task 4. None of these efforts represent major challenges, and 
development should be low risk. The areas addressed are plume 
spectrometry failure correlation, Turbopump narrow-band vibration 
failure correlation, and oxidizer turbopump vibration to speed 
calculations. 
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8.1.1 Work Breakdown Structure 

The program WBS chart ( Figure 8-2) defines work elements to the third 
level. For the technical tasks (Tasks 1 through 4), subtasks are described. 
The WBS provides a structured means for allocating program resources, 
closely monitoring the performance of technical work, and controlling the 
program expenditures. 

8.1.2 Program Schedule 

The program schedule is shown in Figure 8-3. Time phasing of the 
elements to the third (subtask) level, and subtask completion dates are 
shown. Task timeline allocations are made based on task activities 
within the 24 month period. The Task 1, (Preliminary System Definition) 
technical effort will be performed in the first six months and Task 2 
(System Development) will start in the seventh month and continue for 
fourteen months. Task 3 (System Refinement and Validation)will be 
initiated at the beginning of the twenty-first month with a duration of 
four months. Task 4 (Technology Voids) will start in the seventh month 
and continue through the thirteenth month. 

Figure 8-4 summarizes the Rocketdyne program manpower loading for the 
technical effort, and is the basis for cost estimating. 

8.2 ESTIMATED MANLOADING 

The estimated HMSRE implementation cost is based on a preliminary work 
breakdown structure (WBS), combined with a preliminary schedule. Hours 
and durations for each WBS element have been estimated by a team 
consisting of the cu r rent principal investigator, the project manager and 
functional managers presiding over supporting personnel. The estimate is 
based on experience on similar programs/ tasks and takes advantage of 
applicable past and parallel efforts. 
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FIGURE 8-2 
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FIGURE 8-3 PROGRAM SCHEDULE 
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FIGURE 8-4 PROGRAM MANLOADING 
















8.3 TEST FACILITY REQUIREMENTS 


Computation Requirements 

It has been determined that a commercial/industrial grade computer will 
have enough capacity and speed to perform the necessary calculations and 
input/output in the requisite time to provide enhanced engine protection 
during test firing. 

The best suited available test facility for the HMSRE development is a 
workstation at Rocketdyne-Canoga. This allows ready access to the 
extensive SSME test data history. Our digital data room can format the 
test data into ASCII files which can be installed on and accessed from the 
development station hard disc drive. This will accommodate the HMSRE 
implementation system development goals. The development station will 
be self-contained in that it will not seek data from outside the 
workstation during test runs. The test data to support these runs will 
come from the engine test database and from Rocketdyne's SSME model 
outputs. When the HMSRE has been streamlined for real time operation and 
validated at Rocketdyne in the local SAFD system, the TTBE facility will 
come into play. The HMSRE real time code will be transferred to the SAFD 
hardware at TTBE. This supports the ultimate HMSRE implementation 
goals by providing hot-fire engine test data and potential interaction 
with the engine via the SSME controller (SSMEC). Test data will come 
from both the engine instrumentation and facility instrumentation. The 
use of the System for Anomaly and Failure Detection (SAFD) on the SSME 
TTBE is integral to HMSRE TTBE implementation. It is planned to use the 
SAFD capabilities for HMSRE signal conditioning, multiplexing and 
computing as well as the SAFD algorithms. 

The following models are among those available for use in this program: 

The SSME DTM Model. A thermodynamic, transient, engine system and 
component performance prediction model. The SSME DTM is used for 
engine system design analysis and engine anomaly simulations. The SSME 
DTM is normally run in batch mode on Rockwell’s Cyber 875 computer 
located at the Information Systems Center in Seal Beach, CA. 

The SSME FLYTE Model. A linear, steady-state, engine system and 
component performance prediction model incorporating influence 
coefficients. The SSME FLYTE is used for STS flight performance 
prediction, reconstruction, and anomaly resolution analyses and is 
normally run in a batch mode on Rocketdyne's ATDM computer. 
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The SSME OTPP Model. A thermodynamic, steady-state oxidizer turbopump 
component test data reduction model. The SSME OTPP is normally run 
interactively on SSME Oxidizer Turbomachinery IBM microcomputers 
located at the Canoga Facility. 

The SSME HPOTP model. A thermodynamic, steady-state oxidizer 
turbopump component performance prediction model. The SSME HPOTP is 
used for SSME HPOTP detailed design analysis and performance prediction 
and is normally run interactively on SSME Hydrodynamics' Apollo 
workstations located at the Canoga Facility. 


A summary of the models is given in Table 8-1. Several of the models 
accommodate the nonlinear aspects of the system and each is written in 
the programming language FORTRAN 77. The DRP, FLYTE, OTPP, and HPOTP 
models perform analysis and anomaly resolution of SSME hot fire data. 


8.4 ACQUISITION PLANS 

Since it is planned to utilize Rocketdyne-supplied computing hardware for 
development and initial breadboard HMSRE implementation; and the SAFD 
hardware at Rocketdyne and MSFC-TTBE for ultimate validation, no 
acquisition plans are anticipated. 


119 



TABLE 8.1 ANALYTICAL MODELS 


Model Name Model Function 


SSME Power Balance Model 

Non-Linear thermodynamic performance 
prediction and power balance model (PBM) 

LEM: Linear Engine Model 

Linearization of PBM. 

SSME influence coefficient model 
calculates general trends. 

FLYTE 

SSME linear flight data prediction and 
reconstruction model. 

FREDA 

Inferred flow parameter calculations. 
Test data driven. 

DRP 

Non-linear, thermodynamic, steady-state 
performance prediction. 

DTM 

Non-linear, thermodynamic, transient 
performance prediction. 

OTPP 

Steady-state, component test data 
reduction. 

HPOTP 

Steady-state, oxidizer turbopump 
performance production. 

Hydrodynamic Models 
Seal Models 

Inferred parameter calculations. 

Test data driven. 

Back-calculation of engine parameters. 

Aero-Thermal Models 

Thermally affected parameters. 
Component expansion characteristics. 
Expected operation conditions from 
equilforium calculations. 

Miscellaneous Models 

Smaller models used for the analysis and/or 
design of specific components, configurations 
or scenarios. 

HMSRE Models 
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8.5 TECHNOLOGY PROGRAM 


Throughout the program, emphasis was placed on compatability with the 
SSME block- 1 1 controller and available facility measurements. 
Measurements requiring additional development, either in hardware or 
processing, were not included unless they were felt to offer significant 
enhancement to the HMSRE. On this basis, only three technology closure 
areas are conceived for application to the HMSRE. These are the 
characterization of plume spectrometry for failure mode recognition, the 
determination of nominal high pressure turbopump vibration values and 
their correlation to failure modes, and the calculation of high pressure 
oxidizer turbopump speed from real-time HPOTP vibration data. 

8.5.1 Plume Spectrometry 

Plume spectrometry provides information, related to internal hardware 
degradation, that is unavailable with the existing SSME instrumentation^ 
The development effort for this technology consists of two parts: i) 
definition of failure related plume anomalies, and 2) plume spectrometry 
system development. 


DEFINITION OF FAILURE RELATED PLUME ANOMALIES 

Task 1 - Define critical plume anomaly measurements. Definition of 
critical measurements includes the selection of monitored materials, 
identification of anomaly type (e.g. steady plume contamination, spurious 
plume contamination, increasing plume contamination), and identification 
of anomaly location (e.g. distributed throughout plume, streaks). Since no 
significant failure database is available, definition of plume 
contamination anomalies will rely on expert opinion, detailed modelling, 
and probabilistic representation of degration modes and engine dynamics. 

The general approach: 

• Select critical/representative failure modes 

• Define general failure scenarios 

• Characterize degradations (e.g. continous erosion, large chunks of 

material released) 

• Characterize plume contaminations (e.g. Inconel 718, contmously 

present in plume, steady increase in contamination level, fine 
particles, evenly distributed throughout plume) 
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Task 2 - Define nominal values. Nominal SSME operating values will be 
established for the plume anomaly indications defined in Task 1. Nominal 
values are defined by evaluating existing Rocketdyne SSME hot-fire data 
and the data from the Stennis Space Center plume spectrometry hot-fire 
testing program for each anomaly. 


Task 3 - Define acceptable limits. Acceptable deviation limits, for each 
nominal value defined in task 2, will be established. These limits are 
based on the statistical distribution of observed values in nominal tests, 
the expertise of appropriate design and test personnel, and plume 
contamination calibration tests. 

PLUME SPECTROMETRY SYSTEM DEVELOPMENT 

Task 1 - System definition. Trade studies will be performed, based on the 
anomaly definition results described above, to identify required system 
features. These evaluations are expected to include plume coverage (wide 
angle, line, single point, etc.), temporal resolution, monitored chemical 
species, monitoring capabilities (full spectrum, discrete bandwidths), and 
material quantification requirements. 

Task 2 - System development. Hardware and data processing software 
will be developed to implement capabilities defined in task 1 that are not 
available with current plume monitoring systems. 

Task 3 - System calibration and sensitivity evaluation. The system 
response to known plume contamination concentrations will be evaluated 
to correlate the measured plume anomalies to engine hardware 
degradations defined above. 


8.5.2 High Pressure Turbopump Vibration to Failure Mode 
Correlation 

Hardware degradation of the high pressure turbopumps is often 
accompanied by increased vibration levels. Sensitive vibration monitoring 
is expected to provide indications of rotating assembly degradations (e.g. 
bearings, seals) before the degradation becomes severe enough to 
significantly influence the performance parameters monitored by the 
block-ll controller. Current vibration measurements monitor a fairly wide 
vibration band and redlines are based on the overall RMS vibration levels. 
For the HMSRE, isolation of the vibration source to a specific component is 
desirable to enable effective correlation with other HMSRE parameters 
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that indicate a failure. The accelerometers are available and are 
currently used by the block-ll controller. Therefore, the development 
required Tor the HMSRE is limited to the hardware/software necessary to 
isolate specific component vibration signals and the quantification of the 
HMSRE nominal values and limits. 

Task 1 - Development of vibration isolation hardware and software. Real- 
time hardware and software will be developed to isolate vibration signals. 
Several approaches will be evaluated, including tracking filters and 
software caoable of identifying vibration "peaks" indicative of a specific 
component. The isolation system will be tested and evaluated using SSME 
taped vibration data. 

Task 2 - Quantification of nominal values. Nominal values are established 
by evaluating the recorded vibration levels, in the bands monitored by the 
system developed in task 1, for a range of nominal SSME hot-fire tests. 
Average values will be established at each power level. In addition, the 
influence of changing inlet conditions will be assessed through evaluation 
of appropriate test data. 

Task 3 - Quantification of limits. Limits will be established, for each 
band in the system defined in task 1, based on the statistical fluctuations 
in the data evaluated during task 2 and evaluation of SSME failure tests. 


8.5.3 High Pressure Oxidizer Turbopump Vibration to Speed 
Correlation 

The HPOTP speed provides a good indication of HPOTP performance and 
how hard the pump is being worked. No speed sensor currently exists on 
the HPOTP, but the speed is calculated (post-test) based on the frequency 
of the pump sysnchronous frequency. The development effort required for 
this measurement is to implement the frequency-speed relationship in a 
real-time system. 
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SECTION 9 - SUMMARY 


The SSME test history indicates that specific early indications of 
catastrophic engine failure vary widely, even for similar failures. This 
observation, coupled with the fact that the probability of any one specific 
failure and propagation scenario is quite small (estimated at about 1% for 
the most likely failure mode) suggests that an algorithm sensitive to a 
wide variety of general failure indications is the most appropriate for 
near term applications. Therefore, the guiding principle behind the HMSRE 
algorithm is to provide capabilities for early detection of generic SSME 
failure indications, rather than addressing specific failure modes 
individually. 

Evaluation of the most likely SSME FMEA failure modes, determined by the 
figure of merit approach, and evaluation of the SSME failure history 
indicate that several existing measurements generally provide 
significant, early indications of immenent catastrophic engine failures. 
These measurements are primarily related to high pressure turbopump 
performance, but also include vibration and the main injector pressure. 

Nine classes of detection schemes were evaluated for extracting early 
failure indications from the key engine operating parameters identified as 
generic SSME failure indicators. Of these nine classes, features from five 
were selected for the HMSRE algorithm: Advanced Redlines, Parameter 
Correlation, Operational Envelopes, Power Level Dependent Algorithms, 
and Vibration Monitoring. 

The HMSRE failure detection strategy evaluates the difference between 
measured critical operating conditions and predicted nominal values. The 
likelihood of catastrophic engine failure is approximated by a weighted, 
correlated sum of these differences. This strategy enables sensitivity to 
a wide variety of early failure indications ranging from large excursions 
in a single, validated parameter to the gradual drifting of a large number 
of correlated parameters. 

Evaluation of the SSME test history indicates that the HMSRE algorithm 
would have detected 79% of the major incidents. Furthermore, the 
algorithm provided indications of imminent catastrophic failure well in 
advance of redline cutoffs for each of three SSME failures representing 
three distinct failure types. 

In addition, the HMSRE algorithm is easily extended to include additional 
measurements, both conventional and advanced, and the correlation 
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i strategy can be refined to include expert system analysis or even neural 
network type processing. 

Finally in conclusion: the use of available SSME measurements, the 
generic failure detection utility of the algorithm the wide failure 
coverage, the demonstrated early failure indications for three SSME test 
cases, and the extensibility of the algorithm combine to provide a low 
risk, high payoff approach for significant improvements in near term SbML 

failure detection capabilities. 
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ATTACHMENT 1 

OVERALL FAILURE MODE RANKING 


KEY TO ATTACHMENT 1 


Column A - Overall Failure Mode Ranking 

Column C - SSME FMEA Failure Mode Designation 

Field 1 (1 digit) Component Type, example: B200-15 

A = COMBUSTION DEVICES 
B = TURBOMACHINERY 
C = PNEUMATICS 
D = PROPELLANT VALVES 
E = ACTUATORS 
F = CONTROLLER/FASCOS 
G = IGNITERS 

H = ELECTRICAL HARNESSES 
J = SENSORS/INSTRUMENTATION 
K = LINES AND DUCTS 
L = JOINTS 
M = GIMBAL 
N = ORIFICES 

Field 2 (3 digits) Specific Component Designation, example: B200-15 


Field 3 (2 digits) Failure Mode Designation, example: B200-15 


Column E - Specific Component (corresponds to field 2 of column C) 
Column F - Failure Mode (corresponds to field 3 of column C) 
Column BY - Figure of Merit Rating (0-1) 
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ATTACHMENT 2 

FAILURE MODE RANKING BY LRU 


KEY TO ATTACHMENT 2 


Column A - Overall Failure Mode Ranking 

Column C - SSME FMEA Failure Mode Designation 

Field 1 (1 digit) Component Type, example: B200-15 

A = COMBUSTION DEVICES 
B = TURBOMACHINERY 
C = PNEUMATICS 
D = PROPELLANT VALVES 
E = ACTUATORS 
F = CONTROLLER/FASCOS 
G = IGNITERS 

H = ELECTRICAL HARNESSES 
J = SENSORS/INSTRUMENTATION 
K = LINES AND DUCTS 
L = JOINTS 
M = GIMBAL 
N = ORIFICES 

Field 2 (3 digits) Specific Component Designation, example: B200-15 


Field 3 (2 digits) Failure Mode Designation, example: B200-15 


Column E - Specific Component (corresponds to field 2 of column C) 
Column F - Failure Mode (corresponds to field 3 of column C) 
Column BY - Figure of Merit Rating (0-1) 
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ATTACHMENT 3 

FAILURE MODE SUMMARIES 
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ABBREVIATIONS AND ACRONYMS 


AFV 

Anti-Flood Valve 

ASI 

Augmented Spark Igniter 

ccv 

Chamber Coolant Valve 

CCVA 

Chamber Coolant Valve Actuator 

F 

Flight 

FBV 

Fuel Bleed Valve 

FPB 

Fuel Preburner 

FPL 

Full Power Level 

FPOV 

Fuel Preburner Oxidizer Valve 

GCV 

Gaseous Oxygen Control Valve 

HEX 

Heat Exchanger 

HF 

High Frequency 

HGM 

Hot Gas Manifold 

HPFTP 

High-Pressure Fuel Turbopump 

HPOTP 

High-Pressure Oxidizer Turbopump 

HPV 

Helium Precharge Valve 

LPFTP 

Low-Pressure Fuel Turbopump 

LPOTP 

Low-Pressure Oxidizer Turbopump 

LRU 

Line Replaceable Unit 

LVDT 

Linear Variable Differential Transformer 

MCC 

Main Combustion Chamber 

MFV 

Main Fuel Valve 

MOV 

Main Oxidizer Valve 

MPL 

Minimum Power Level 

MR 

Mixture Ratio 

MVA 

Main Valve Actuator 

OBV 

Oxidizer Bleed Valve 

OPB 

Oxidizer Preburner 

OPOV 

Oxidizer Preburncr Oxidizer Valve 

rx 

Oxidizer 

PB 

Preburner 

PBP 

Preburner Boost Pump 

PBVA 

Preburner Valve Actuator 

PC A 

Pneumatic Control Assembly 

RIV 

Recirculation Isolation Valve 

RPL 

Rated Power Level 

RVDT 

Rotary Variable Differential Transformer 

SRB 

Solid Rocket Booster 

TB 

Test Bed 

VEEI 

Vehicle Engine Electronics Interface 
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Rank No.: 

Componcni: Heat Exchanger (HEX) 

Failure Mode: Coil fracture/leakage 

Line Replaceable Unit - Failure Mode No.: A150-01 


Possible causes : 


Possibl e a ffects: 


Available sensors : 


(1) Coil weld or parent material fracture due to fatigue, ( 2 j 
loss of channel/bracket supports, (3) damage due to impact 
from fragmented liner, turning vanes, or channels, (4) 
tube wall wear at support points, (5) tube damage during 
HPOTP removal and installation, and (6) coil collapse. 

Mixing of GOX with fuel-rich hot gas stream could result in 
ignition, detonation, and burning. Burning would result in 
coil, HGM liner or HPOTP turbine, or main injector bum- 
through causing loss of engine. Fuel-rich hot gas could 
enter the downstream side of the coil and combine with 
oxygen from the bypass system, causing a fire in the 
discharge line that supplies the POGO accumulator and the 
vehicle oxygen pressurization system. 

(1) HEX discharge pressure (F, TB), and (2) HEX interface 
temperature (F, TB). Detection is difficult to accommodate 


Test correlation w'ith failure mode : 901-222 


Rank No.: 2 

Component: Pneumatic Control Assembly (PCA) - Emergency Pneumatic Shutdown 

Failure Mode: Failure to supply Helium pressurant 

Line Replaceable Unit - Failure Mode No.: C200-11 

Possible causes: (1) PCA .component failure (PCA inlet Helium filter 

blocked, emergency pneumatic orifice blocked), (2) 
emergency shutdown solenoid valve failure (armature 
jammed closed, push rod jammed closed, broken spring). (3) 
vent port poppet/seat leakage (contamination, 
damaged/defectivc sealing surface), and (4) control cavity 
seal leakage (contamination, damaged/dcfcclivc seal). 

Possible effects : If Helium pressurant is not applied to the closing piston of 

the main fuel valve (MFV) actuator, the MFV could drift, 
causing propellant leakage which could in turn result in 
fire, open air detonation, and overpressure condition. 


Available sensors : 


None, no sensor information would be effective since, 
without a working PCA, the system can not be shutdown. 


Test correlation with failure mode : 750- 1 63 
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Rank No.: 3 

Component: High Pressure Fuel Turbopump (HPFTP) 

Failure Mode. Structural Failure of Turbine Blades 
Line Rcplaceaolc Unit - Failure Mode No.: B200-04 


Possible causes : 


(1) Rotor blade cracks, (2) loss of blade dampers, (3) 
excessive tip rubbing, (4) tip seal failure, (5) housing piloi 
lip failure (6) housing retaining lug failure, (7) nozzle 
failure, (8) impact from macroscopic contaminant, (9) disk 
fir-tree yielding or fracture, and (10) excessive rubbing ol 
platform seals. 


Possible effects : 


Available sensor s: 


Multiple blade failures resulting in immediate loss ol 
turbine power and rotor imbalance. Rotor imbalance 
results in excessive vibration which would cause more 
rubbing and additional component failures. Extensive 
turbine damage could result from impact and 

overtemperature. Possible burst of pump inlet due to 
pressure surge. Possible HPFTP seizure could result in LOX- 
rich shutdown with subsequent main injector or fuel 
preburner injector post damage/erosion. 

(1) HPFTP speed (F. TB). (2) LPFTP speed (F. TB), (3) HPFP 
discharge pressure (F. TB), (4) HPFT discharge temperature 
(F, TB), (5) LPFT discharge pressure (F, TB), (6) LPH 
discharge temperature (F, TB), and (7) FPB chamber 
pressure (F, TB), (8) FPOV position (F, TB), (9) OPOV position 
(F, TB), and (10) HPFTP housing strain (TB). 


Test correlation wit h failure mode: 902-249. 


Rank No.: 4 

Component: Nozzle Assembly 

Failure Mode: External Rupture 

Line Replaceable Unit - Failure Mode No.: A340-02 

Possible causes : (1) Structural failure of the steerhorn, feedhnes, mixer. 

diffuser, forward and aft manifold, and (2) tube I ail u rc and 
jacket fatigue. 

Possible effec ts: Overpressurization due to leakage external to the nozzle and 

into the aft compartment. Fragmentation may cause 
damage to adjacent engines. Sudden loss of fuel causes LOX- 
rich operation. 


Available sen sors: (1) HPFT discharge temperature (F. TB), (2) HPFT discharge 

pressure (F, TB), (3) HPOT discharge temperature (K IB). (4) 
HPOT discharge pressure (F, TB), (5) FPOV position (F. FB). 
and OPOV position (F* TB). 


Test correlation with lailurc 


mode : 901-485, 902-162, 750-041, 750-285, SF6-03.. SF10-0! 
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Rank No.: 5 

Component: Fuel Valve 

Failure Mode: Internal Leakage 

Line Replaceable Unit - Failure Mode No.: D1 10-01 


Possible causes : 
Possible effects . 
Available sensors : 


(1) Damage/failure - of seal, ball, or bellows, and (2) 
contamination. 

(1) Fire due to leakage, and (2) open air detonation and 
overpressure condition. 

(1) HPFT discharge temperature (F, TB), (2) HPOT discharge 
temperature (F, TB), (3) HPFT discharge pressure (F. TB), (4) 
HPOT discharge pressure (F, TB), (5) FPOV position (F, TB), 
(6) OPOV position (F, TB), (7) MCC coolant discharge 
temperature (F, TB), (8) MCC coolant discharge pressure (F, 
TB), and (9) MCC pressure (F, TB). 


Test correlation wit h failure mode : SF6-01 


Rank No.: 6 

Component: Fuel Preburner 

Failure Mode: Non-uniformity of Fuel Flow in the Injector Element. 
Line Replaceable Unit - Failure Mode No.: A600-04 


Possible causes : (1) contamination in the fuel annulus, and (2) slippage of 

LOX post support pins. 

Possible effects : Local high mixtures and recirculation of gases around the 

elements periphery due to non-uniformity which, in turn, 
causes local erosion of the injection element tip, the 
injector faceplate, the combustion zone liner or injector 
baffle. Erosion through the liner may result in burn- 

through of the structural wall. 


Available sensors : HPFT discharge temperature (F, TB), (2) FPB pressure (F. 

TB), (3) FPB fuel manifold pressure (TB), and (4) FPB 
oxidizer manifold pressure (TB). 

Test correlation with failure mode : SF10-01, 901-307, 902-244. 
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Rank No.: 7 

Component: High Pressure Fuel Turbopump (HPFTP) 

Failure Mode: Loss of support or position control. 

Line Replaceable Unit - Failure Mode No.: B200-15 

Possible causes : (1) Bearing failure (ball/cage failure, loss ol coolant. 

corrosion, contamination, race failures, (2) 
fracture/distortion of bearing carrier or excessive loss ol 
bolt preload, (3) excessive loss of bearing retaining nut 
preload, (4) excessive clearance at pump interstage seals, 
(5) failure or excessive wear of bearing preload spring, (6) 
pump slinger pin failure, and (7) stud failure or loss of 
preload. 

Possible effects : Reduced speed, flow and pump output pressure, and 

increased vibration levels. Possible turbine blade failure 
or disintegration of rotating assembly. 


Available sensors : (1) HPFTP speed (F, TB), (2) HPFTP discharge pressure (F. 

TB), (3) fuel flowrate (F, TB), (4) HPFTP radial and axial 
accelerometers (F, TB), (5) HPFP balance cavity pressure 
(TB), and (6) HPFP thrust bearing speed (TB). 


Test correlation with failure mode : none 


Rank No.: 8 

Component: Main Injector 

Failure Mode: LOX post crack 

Line Replaceable Unit - Failure Mode No.: A200-6 

Possible causes : (1) Impact damage, (2) weld or material flaws, (3) fatigue. 

(4) scrub liner failure, (5) heat shield retainer failure, (6) 
secondary faceplate retainer failure, and (7) loss of flow 
shield function. 


Possible effects : Post and injector burnout as a result of hot gas flowing into 

the posts and igniting with the oxidizer. Injector debris 
can rupture nozzle tubes, causing preburner luel 
starvation, turbine and main injector burnout, and ati 
compartment overpressurization and fire. 

Available sensors : (1) HPOT discharge temperature (F, TB), (2) HPFT discharge 

temperature (F, TB), (3) HPOT discharge pressure (F, TB), (4) 
HPFT discharge pressure (F, TB), (5) HPOP speed (F, TB), (M 
HPFP speed (F, TB), (7) OPOV position (F, TB). (8) FPOV 
position (F, TB), and (9) MCC pressure (F, TB). 


Test correlation with failure mode : 901-173, 901-183, 901-331, 902-198, 750-14S. 
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Rank No.: 9 

Component: Low Pressure Fuel Turbopump (LPFTP) 

Failure Mode: Fuel leakage fast liftoff seal. 

Line Replaceable Unit - Failure Mode No.: B600-06 


Possible causes : 


Possible effects : 


Available sensors : 


(1) Contamination, (2) damaged scaling surfaces on liftoff 
seal or shaft, (3) binding within liftoff seal, (4) leakage past 
static seal at liftoff seal to manifold interface, and (5) 
damage due to failure to liftoff.. 

Fuel flow into the turbine and through the MCC and nozzle 
with the possible result of open air fire/detonation 

(1) LPFTP discharge pressured, (2) LPFTP shaft speed. O) 
LPFTP discharge HF pressure, (4) LPFTP turbine inlet 
pressure, (5) LPFTP turbine pressure drop, and (6) LPFTt- 
radial accelerometer. 


Test correlation with failure mode : None. 


Rank No.: 1 0 

Component: High Pressure Oxidizer Turbopump (HPOTP) 

Failure Mode: Turbine Blade structural failure. 

Line Replaceable Unit - Failure Mode No.: B400-03 


Possible causes: 


Possible 

effects: 

Available 

sensors 


(1) Blade cracks, (2) rotor blade tip rubbing, (3) honeycomb 
retainer failure, (4) impact, (5) inadequate cooling How, (6) 
loss of damper function, (7) operation t resonance, (8) d!.>c 
fir-tree yielding and fracture, and (9) nozzle failure. 

Loss of turbine blades, leading to multiple blade failure and 
rotor unbalance, with subsequent rubbing and ultimate 
rotating assembly disintegration. 

(1) Strain gages near shaft, and (2) accelerometer 


Test correlation with failure mode : None. 
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Component: High Pressure Oxidizer Turbopump (HPOTP) 

Failure Mode: Loss of Axial Balancing Force 

Line Replaceable Unit - Failure Mode No.: B400-14 


Possible causes : 


(1) Damage to balance piston orifices from contamination, 
and (2) Loss of bolt preload causing rubbing in the balance 
piston region. 


PossMSi effects : Excessive shaft axial displacement resulting in internal 

rubbing of rotating components. Disintegration of rotating 
parts will occur at high speeds. 


Available sensors : 


(1) Strain gage near shaft, and (2) HPOTP preburner 
accelerometer. 


Test correlation with failure mode : none 


ixaun t _ _ 

Component: High Pressure Oxidizer Turbopump (HPOTP) 

Failure Mode: Failure to Transient Torque 

Line Replaceable Unit - Failure Mode No.: B400-07 

Pnssihle causes : (1) Failure of shaft or impeller splines, (2) Curvic coupling 

failure, (3) Loss of turbine tie - bolt preload, (4) Loss of 
prebumer tie-bolt preload, (5) Main impeller retainer 
nut/lock failure, (6) Turbine disc failure, and (7) Shalt 
fai lure. 


Possible effects: Turbine unload and overspeed with probable blade failure 

and/or disk burst, rubbing, and rotor unbalance. Turbine- 
burst may cause shrapnel damage to other parts of the 
engine, resulting in ultimate rotating assembly 
disintegration, fire, or explosion. 

Available sensors : (1) HPOTP pump speed, (2) HPOTP discharge pressure. (3) 

HPOTP discharge temperature, (4) Strain gages, and (5) 
Accelerometer. 


Test correlation with failure mode : 750-175. 
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Rank No.: 13 

Component: Main Injector 

Failure Mode: Intcrpropellant Plate Cracks 

Line Replaceable Unit - Failure Mode No.: A200-09 



(1) Weld or parent material failure, and (2) Heat shield 

failure. 



Ignition occurring in the main injector resulting in 
injector/powcrhead burnout, and aft compartment 
overpressurization and fire. LOX/post damage, MCC erosion, 
and nozzle tube rupture may result. 

(1) HPFTP discharge temperature, and (2) HPOT discharge 
temperature. 


901-173, 750-148. 



Rank No.: 14 

Component: High Pressure Oxidizer Turbopump 

Failure Mode: Pump Piece Part Structural Failure 
Line Replaceable Unit - Failure Mode No.: B400-22 



Internal structural failure of shaft, main housing, 
preburner pump housing, intermediate seal, mating ring, 
and other hardware (springs, nuts, washers, bolls, seals), 
etc. 



Fire from LOX impact or rubbing, hot gas leakage into 
primary OX seal cavity. 

(1) HPOTP turbine discharge pressure, (2) HPOTP turbine 
discharge HF pressure, (3) HPOTP discharge temperature, 
and (4) HPOTP radial and axial accelerometers. 



901-110. 
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Rank No.: 15 

Component: Main Combustion Chamber 

Failure Mode: Fuel Leaks into the Closed Cavity Between the Liner and Structural 
Jacket 

Line Replaceable Unit - Failure Mode No.: A330-02 


Possible causes : 


(1) Failure in EDNi liner closeout structure caused by long 
liner inner wall cracks; (2) Jacket EB closeout weld over 
penetration into EDNi liner; and (3) Fracture of manifold to 
liner welds. 


Possihle effects: Burst diaphragm rupture due to leakage into the closed 

* * cavity, venting the cavity into the engine fuel drain 

system. Excessive leakage causes deformation of the liner 
in the divergent section. Significant changes in the 
exhaust gases flow produce a strong shock at the 
downstream nozzle wall. Tube failures cause loss of fuel to 
the prebumers and high turbine temperatures. Cavity 
overpressurization causes ripping of welds, sudden loss of 
fuel, engine turbine, and aft compartment 
overpressurization and fire. 

Available sensors : (1) MCC liner cavity delta-pressure, (2) FPB fuel manifold 

pressure, (3) OPB LOX manifold pressure, (4) MCC coolant 
delta pressure, (5) FPOV actuator position. (6) OPOV actuator 
position, (7) HPFTP turbine discharge temperature, (8) 
HPOTP turbine discharge temperature, (9) HPFTP pump 
discharge pressure, (10) HPFTP boost pump discharge 
pressure, (11) LPFTF shaft speed, (12) LPFTP pump 
discharge pressure, and (13) HPOTP pump discharge 
pressure. 


Test correlation with failure mode : None 


Rank No.: 16 

Component: LPFTP Turbine Discharge Duci 

Failure Mode: Fails to Contain Hydrogen 

Line Replaceable Unit - Failure Mode No.: K103-01 


Possible causes : 


(1) Parent material failure or weld failure; and (2) Flex 
joint assemblies structural failure of retainer assembly, 
internal support assembly, inner bellows, or welds. 


Possible effects : Fuel leakage into aft compartment resulting in 

overpressurization and possible fire or detonation. 

Available sensors : (1) HPFTP inlet HF pressure, (2) Fuel flow, (3) LPFTP 

discharge HF pressure, (4) HPFTP axial accelerometer, (5) 
HPFTP radial accelerometer, and (6) HPFTP shaft speed. 


Test correlation with failure mode : None 
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Rank No.: 17 

Component: GOX Control Valve 

Failure Mode: Maintain Structural Integrity 

Line Replaceable Unit - Failure Mode No.: D500-06 


Possible causes: 

(1) Fracture of housing; and (2) Internal structural failure 
of poppet, check valve poppet. GCV or check valve retainer, 
seat, stem, guide, poppet spring or check valve snapspring, 
guide retainer ring, and check valve seal. 

Possible effects: 

(1) Loss of pogo suppression flow and overpressurization of 
aft compartment; and (2) Fire from GOX impact or rubbing. 

Available sensors: 

(1) LPOTP pump discharge HF pressure, (2) LPOTP pump 
discharge pressure, (3) LPOTP pump discharge temperature, 
(4) HPOTP inlet HF pressure. 

Test correlation with 

failure mode: None 

Rank No.: 18 

Component: Anti-Flood Valve 

Failure Mode: Leakage During Propellant Conditioning 
Line Replaceable Unit - Failure Mode No.: D300-01 

Possible causes: 

(1) Poppet or seat damage, (2) Contami»;.iion, and (3) 
Fractured poppet or piston springs. 

Possible effects: 

LOX flow to heat exchanger. Heat from start will cause GOX 
to overpressurize and rupture the heat exchanger coils. 
LOX and hot-gas will mix resulting in uncontaincd 
fire/explosion. 

Available sensors: 

(1) HEX vent inlet pressure, (2) HEX vent delta-pressure, (3) 
HEX inlet temperature, and (4) HEX inlet pressure. 

Test correlation with 

failure mode: None 

Rank No.: 19 

Component: High Pressure Fuel Duct 

Failure Mode: Fails to Contain Hydrogen 
Line Replaceable Unit - Failure Mode No.: K 106-02 

Possible causes: 

Parent material or weld failure. 

Possible effects: 

Fuel leakage into aft compartment resulting in 
overpressurization and possible fire or detonation. 

Available sensors: 

(1) HPFTP discharge pressure, and (2) HPFTP discharge temp 

Test correlation with 

failure mode: None 
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Rank No.: 20 

Component: Low Pressure Oxidizer Turbopump 

Failure Mode: Loss of Support and Position Control 
Line Replaceable Unit - Failure Mode No.: B800-06 


Possible causes: 


(1) High rotor axial thrust loads; (2) Pump/turbinc end 
bearing failure due to wear, spalling, pitting, cage 
wear/failure, corrosion, loss of coolant or contamination; 

(3) Loss of support bolt preload; (4) Loss of pump/turbinc 
end bearing inner and outer race retaining nut preload due 
to nut failure, lock failure, or vibration; (5) Turbine end 
bearing preload spring wear/failure; (6) Excessive fretting 
at bearing journals; and (7) Excessive rotor radial loads. 


Possible effects- 


Potential contact between rotor and stationary components 
due to excessive rotor movement; rubbing in oxygen 
environment can cause LPOTP fire or explosion. 


Available sensors : (1) LPOTP radial accelerometer, and (2) LPOTP pump 

discharge temperature. 


Test correlation with failure mode : None 


Rank No.: 21 

Component: Main Injector 

Failure Mode: External Rupture 

Line Replaceable Unit - Failure Mode No.: A200-07 

Possible causes : (1) Weld or parent material failure; (2) Splitter failure; and 

(3) Liquid metal embrittlement at braze areas. 

Possihle effects : LOX and hot-gas leakage into the aft compartment resulting 

in overpressurization and fire. 


Available sensors: 


(I) MCC pressure, (2) Main injector secondary face plate 
delta-pressure, (3) MCC liner cavity delta-pressure, (4) MCC 
fuel injection pressure, (5) FPB fuel manifold pressure, ( ) 
OPB LOX manifold pressure. (7) FPOV actuator position. (8) 
OPOV actuator position, (9) HPFTP turbine discharge 
temperature, (10) HPOTP turbine discharge temperature, 

(II) HPFTP pump discharge pressure, (12) HPFTP boost 
pump discharge pressure, (13) LPFTP shaft speed. (Mi 
LPFTP pump discharge pressure, and (15) HPOTP pump 
discharge pressure. 


Test correlation with failure mode : None 
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Rank No.: 22 

Component: Chamber Coolant Valve Actuator 

Failure Mode: Sequence Valve Leaks Passing Early Control Pressurant Downstream 
Line Replaceable Unit - Failure Mode No.: E150-14 


Possible causes : 


Damaged sequence valve and valve seals. 


Possible effects : 


Available sensors : 


The control pressurant closes the purge sequence PAV 
early with the result of terminating prebumer shutdown 
purges; HPOTP intermediate seal purge, and pogo shutdown 
charge. Loss of pogo shutdown charge during MECO, at zero 
6 condition and minimum NPSP, will result in 
cavitation/overspeed of HPOTP and/or LPOTP. 

(1) HPOTP inlet HF pressure, (2) LPOTP inlet pressure, (3) 
LPOTP shaft speed, (4) HPOTP turbine radial accelerometer. 
(5) FPB purge pressure, (6) OPB purge pressure, and (7) 
HPOTP intermediate seal purge pressure. 


Test corr elation with failure mode : None 


Rank No.: 23 

Component: Oxidizer Bleed Valve 

Failure Mode: Fretting of Internal Parts 

Line Replaceable Unit - Failure Mode No.: D220-06 

Possible causes: Relative motion of poppet/piston and 

poppet/spring/poppet. 

Possible effects: Fire from ignition of internal parts. 

Available sensors : Not detectable. 

Test correlation wit h failure mode : None 
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Rank No.: 24 

Component: High Pressure Oxidizer Turbopump 

Failure Mode: Turbine P.'eoe Part Structural Failure 
Line Replaceable Unit - Failure Mode No.: B400-23 

Possible causes : Internal structural failure of turbine housing, discharge 

strut/strut retainer, shaft, disc, first-stage turbine blades 
and dampers, first-stage tip seal and retainer, first stage 
nozzle, second-stage turbine blade and dampers, second- 
stage tip seal, second-stage nozzle, interstage seal, jet ring, 
bellows shield, turbine seal coolant shield, discharge strut 
retainer disc bolt and washer, turbine blade lock, first- 
stage nozzle retainer bolts and lock, first-stage nozzle 
retainer bolts and washers, jet ring retainer bolts and 
washers, turbine seal retainer bolts and locks, and first 
s'age nozzle plug. 


Possible effects : 


Migration downstream of part fragment resulting in 
puncture of heat exchanger tube. 


Available sensors : (1) HPOTP turbine discharge pressure, (2) HPOTP turbine 

discharge HF pressure, (3) HPOTP discharge temperature, 
and (4) HPOTP radial and axial accelerometers. 


Test correlation with failure mode : None 


t 
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Rank No.: 25 

Component: Main Combustion Chamber 

Failure Mode: Internal Rupture at the MCC Nozzle Interface 

Line Replaceable Unit - Failure Mode No.: A330-03 


Possible 

causes: 

Possible 

effects: 

Available 

sensors: 


(1) Delamination of the nickel plating at the aft end of the 
MCC; (2) Weld failures at the turnaround manifold of the 
liner, and (3) Weld or parent material failure. 

Fuel leakage at the internal interface to be dumped into the 
main exhaust gases. Loss of fuel to the LPFTP will result in 
HPFTP cavitation, LOX-rich operation, and engine failure 

(1) HPOT discharge temperature. 


Test correlation with failure mode : 750-148 
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Rank No.: 26 

Component: High Pressure Fuel Turbopump 

Failure Mode: Structural' Failure 

Line Replaceable Unit - Failure Mode No.: B200-26 


Possible causes : 


Possible effects : 


(1) Failure of parent metal or welds in main housing, inlet 
housing, thrust bearing housing; and (2) Diffuser cracking 
causing overpressurization of pump housing. 

(1) Immediate loss of turbopump output; and (2) External 
damage to engine from hydrogen fire or explosion and aft 
compartment overpressurization. 


Available sensors : 

Test correlation wit h failure mode: None 


(1) HPFP discharge pressure, (2) Housing strain 
measurements, and (3) Housing accelerometer. 


Rank No.: 27 

Component: Oxidizer Bleed Flex Line 

Failure Mode: Fails to Contain Oxidizer 

Line Replaceable Unit - Failure Mode No.: K203-01 


Possible causes: 

(1) Parent material failure 
Damage/defective bellows 

or weld failure; and (2) 
assembly. 

Possible effects: 

(1) Oxidizer leakage into 
compartment. 

and overpressurization of aft 

Available sensors: 

No engine sensors. 


Test correlation with 

failure mode: None 


Rank No.: 28 

Component: Main 

Failure Mode: Piece 
Line Replaceable Unit 

Oxidizer Valve 
Part Structural Failure 
- Failure Mode No.: D120-05 


Possible causes: 

Internal structural failure of bellows, cam follower, 
inlet/outlet sleeve, shaft bearing retainer, cam/shafl 
bearing, ball/shaft seal, shaft assembly, and fasteners 
cup washers. 

Possible effects: 

Fire from LOX impact or 

rubbing. 

Available sensors: 

(1) MOV discharge HF pressure, and (2) MOV hydraulic 
temperature. 

Test correlation with 

failure mode: None 
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Rank No.: 29 

Component: Powerhead 

Failure Mode: Shell or Propellant Duct Rupture 
Line Replaceable Unit - Failure Mode No.: A050-02 


Possible causes : 
Possible effects : 

Available sensors : 


Weld or parent metal failure. 

(1) External fuel or hot-gas leak; and (2) Overpressurization 
of aft compartment. 

(I) MCC pressure, (2) Main injector secondary face plate 
delta-pressure, (3) MCC liner cavity delta-pressure. (4) MCC 
fuel injection pressure, (5) FPB fuel manifold pressure, (6) 
OPB LOX manifold pressure, (7) FPOV actuator position, (8) 
OPOV actuator position, (9) HPFTP turbine discharge 
temperature, (10) HPOTP turbine discharge temperature, 

(II) HPFTP pump discharge pressure, (12) HPFTP boost 
pump discharge pressure, (13) LPFTP shaft speed, (14) 
LPFTP pump discharge pressure, and (15) HPOTP pump 
discharge pressure. 


Test correlation with failure mode: None 


Rank No.: 30 

Component: Fuel Preburner 

Failure Mode: External Rupture 

Line Replaceable Unit - Failure Mode No.: 


A600-11 


Possible causes : 
Possible effects : 


Available sensors : 


Failure of parent material or weld. 

Leakage into the aft compartment causing 
overpressurization and/or fire. 

(1) FPB injector delta-pressure, (2) FPB temperature. (3) 
FPB fuel manifold temperature, (4) FPB AS I fuel 
temperature, (5) FPB orifice inlet temperature, (6) FPB 
accelerometer, (7) FPB liner axial temperature, (8) FPB 
manifold pressure, (9) FPB chamber HF pressure, and (1()> 
FPB chamber HP delta-pressure. 


Test correlation with failure mode : None 
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Rank No.: 3 1 

Component: Main Oxidizer Valve 

Failure Mode: Structural Failure 

Line Replaceable Unit - Failure Mode No.: D1 20-04 

Possible — causes: Fracture of housing or end cap. 

E o a s i b l e effects : (1) Reduced oxidizer flow to engine; and (2) High pressure 

oxidizer leakage into aft compartment. 

A vailab l e _ sensors : (1) MOV discharge HF pressure, and (2) MOV hydraulic 

temperature. 

Test correlation with failure mode : None 


Rank No.: 32 

Component: Pneumatic Control Assembly (PCA) - Oxidizer System Purge 

Failure Mode: Insufficient or No Nitrogen Purge Flow During Propellant Conditioning 

Line Replaceable Unit - Failure Mode No.: C200-07 


Possible causes : 


Possible effects : 


Available sensors : 


(1) PCA component failure due to blocked/restrictcd PCA 
inlet nitrogen filter, ruptured PCA oxidizer system burst 
diaphragm, blocked/restricted HPOTP intermediate seal 
purge control orifice, or blocked/restricted MCC oxidizer 
dome purge control orifice; (2) Oxidizer system purge 
pressure activated valve failure; (3) Control cavity seal 
leakage due to contamination, damaged/defective seal, or 
blocked flow passage; and (4) Vent port poppet/seat leakage 
due to contamination, damaged/defective sealing surface, 
or damaged guide. 

(1) Reduced nitrogen flow causing loss of oxidizer dome 
purge resulting in uncleared moisture and ice formation; 
LOX orifices block can cause combustion within the post, 
post burn through, and extensive erosion during start; 
uncontained engine damage; (2) Reduced flow causing loss 
of intermediate seal purge resulting in uncleared moisture 
and ice formation during propellant drop; ice damages 
HPOTP intermediate seal causing failure; LOX and hot- 
turbine gases mix resulting in uncontaincd engine damage 
during start; and (3) Loss of purge reduces the purge flow 
below acceptable limits for inerting propellant leakage at 
ICD limits with the potential result of open air fire. 

Prebumer purge monitor patch (OPB and FPB purge 
pressure redlines) 


Te st correlation with failure mode : 901-129, 902-330 
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Rank No.: 33 

Component: Main Injector 

Failure Mode: Partial Blockage of an Oxidizer _ Orifice 
Line Replaceable Unit - Failure Mode No.: A200-05 


Possible causes : 
Possible effects: 


Local contamination in oxidizer manifold 

Combustion gas backflow into the post causing combustion 
within the post and post bum - through as a result of 
blockage. Extensive subsequent erosion results in art 
compartment overpressurization and fire. 


Available sensors : 


(1) Main injector secondary face plate delta-pressure, (2) 
HGM fuel transfer duct HF pressure. (3) Main injector LOX 
injection pressure, and (4) Main injector LOX injection 
temperature. 


Test correlation wit h failure mode: None 


Rank No.: 34 

Component: Fuel Prebumer Oxidizer Valve 

Failure Mode: Shaft Seal Leak 

Line Replaceable Unit - Failure Mode No.: D 130-03 


Possible causes: 


(1) Contamination generated from coupling. 


Possible effects : 


(1) Leakage past both the primary and secondary seals 
results in burst diaphragm rupture; and (2) IF hydraulic 
fluid leakage from the actuator primary and secondary 
seals exist concurrently, commingling of oxidizer and 
hydraulic fluid will result in firc~ 


Available sensors : 


(1) FPB ASI LOX orifice pressure, (2) FPB ASI LOX orifice 
delta-pressure, (3) FPB ASI LOX temperature, and (4) FPB 
actuator position. 


T^st correlation with failu re mode. None 
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Rank No.: 35 

Component: Main Oxidizer Valve 

Failure Mode: Fretting of Internal Parts 

Line Replaceable Unit - Failure Mode No.: D 120-06 


Possible effects: 


(1) Relative motion of (i) bellows/housing, (ii) 
sleeve/bellows/shim, (iii) cam follower/guide/housing. 

(iv) bellows/guide/cam follower, (v) shaft 
bearings/retainer, (vi) retainer/shaft, (vii) retaincr/wavc 
washers/cap, and (viii) outlet sleeve/housing/shim. 

(1) Fire from ignition of internal parts. 


Ava i lable — s ensors : (1) MOV discharge HF pressure, and (2) MOV hydraulic 

temperature. 


Test correlation with failure mode : 901-225. 


Rank No.: 36 

Component: High Pressure Oxidizer Turbopump 

Failure Mode: Loss of Support, Position Control, or Rotordynamic Stability 
Line Replaceable Unit - Failure Mode No.: B400-13 


Possible — Causes : (1) Bearing failure due to spalling, pitting, wear or 

corrosion of balls/races; loss of radial clearance; cage 
failure; loss of coolant; or contamination in bearings; (2) 
Excessive PBP damping seal clearance; (3) Loss of bearing 
retaining bolt preload; (4) Cartridge wet failure or loss of 
support; (5) Loss of bearing retainer nut preload; (6) 
Bearing preload spring failure; (7) Excessive turbine 
interstage seal clearance; (8) Excessive primary and 
secondary turbine seal clearance; (9) Fretting of 
bearing/cartridge or isolator; and (10) Loss or increase of 
deadband. 


Possible — g . ffects : (1) Bearing failure results in excessive axial or radial 

displacements which leads to rubbing of turbine or pump 
components; disintegration of rotating parts, possibly 
resulting in an oxidizer fire or explosion. 

A v a ilable sensors : (1) HPOT speed (F, TB), (2) HPOT discharge pressure (F, TB), 

(3) HPOT discharge temperature (F, TB), and (4) HPOTP 
radial and axial accelerometers (F, TB). 

Test corre lation with failure mode : 901-136 


162 



Rjink o 37 

Component: High Pressure Fuel Turbopump 

Failure Mode: Turbine Discharge Flow Blockage 
Line Replaceable Unit - Failure Mode No.: B200-07 


Possihlc causes : 


(1) Turnaround duct distortion/buckling; (2) Sheet metal 
cracking resulting in loss of pieces; (3) stiffener vane 
cracking resulting in loss of pieces or disengagement of 
slip joint; and (4) Failure of coolant liner. 


Possible effects : (1) Flow blockage decreases turbine pressure ratio, reduces 

turbopump speed, flow and discharge pressure. Decreased 
flow is sensed by controller which increases fuel 
prebumer oxidizer flow; (2) A rapid buckling may result in 
extensive turbine damage from overtemperature, and ( 3 ) 
Possible burst of pump inlet due tc pressure surge. 


Available sensors: 


(1) HPFTP discharge temperature, (2) HPFTP pump speed. 
(3) Flowrate, (4) HPFTP discharge pressure, and (5) Strain 
gage for turn around duct metal. 


Test correlation wi th failure mode: 901-340, 901-363, 902-118, 901-436. 


Rank No.: 3 8 

Component: High Pressure Oxidizer Turbopump 

Failure Mode: Loss of Coolant to First- and Second-Stage Turbine Components 

Line Replaceable Unit - Failure Mode No.: B400-20 

Possible causes : (1) Fracture or blockage of coolant circuits; (2) Coolant 

passage cracks into main housing, (3) Jet ring failure, (4) 
Failure of second-stage nozzle/interstage seal, and (51 
OPB/HPOTP pressure-assisted seal leakage. 

Possible effects : (1) Overheating of inlet strut, disks and blades, nozzle box 

structures, and turbine interstage seal lead to flow 
distortion and rubbing; and (2) Structural component 
failure results in disintegration of rotating components. 


Available sensors : (1) HPOTP primary seal drain temperature, (2) HPOTP 

primary seal drain pressure, (3) HPOTP turbine seal cavity 
pressure, (4) HPOTP turbine radial accelerometer, (5) HPOTP 
turbine discharge pressure, and (6) HPOTP turbine 
discharge HF pressure. 


T est correlation wit h failure mode: None 


163 



Rank No.: 39 

Component: Anti-Flood Valve 

Failure Mode: LOX Flow Restricted or Shutoff 

Line Replaceable Unit - Failure Mode No.: D300-03 


Possible — causes : (1) Blocked inlet filter; (2) Vent passage blocked and 

cracked piston/piston seal leakage; and (3) Fractured 
poppet/seat. 

P o ssible — £ [feels : (1) Loss of pressurant flow to accumulator and vehicle; (2) 

Collapse and possible cracking of heat exchanger coil; (3) 
Hot-gas flow to vehicle oxidizer tank and pogo accumulator; 
and (4) Loss of pogo suppression. 


Ava i lable .s ensors : (1) HEX vent inlet pressure, (2) HEX vent delta-pressure, ( 3 ) 

HEX inlet temperature, (4) HEX inlet pressure, (5) Oxidizer 
tank pressure, and (6) LPOTP pump discharge pressure. 

Xest correlation with failure mode : None 


Rank No.: 40 

Component: Oxidizer Preburner 

Failure Mode: Loss of Fuel to ASI 

Line Replaceable Unit - Failure Mode No.: A700-02 

Possible — causes : Contamination of the ASI fuel orifices/passageways 

P ossible effect? : High mixture ratio erosion of the ASI combustion chamber 

walls, injector burnout, loss of turbine, and engine failure 
due to loss of fuel. 

Available — se nsors ; (1) FPOV valve position, (2) OPOV valve position, and (3) 

HPOT discharge temperature. 

Test correlation with failure mode : None 
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Rank No.: 41 

Component: High Pressure Fuel Turbopump 

Failure Mode: Loss of Coolant Flow to Turbine Bearings 
Line Replaceable Unit - Failure Mode No.: B200-16 

Possible causes : (1) Lift-off sealing binding/closure; (2) Coolanl flow 

passage blockage; (3) Failure of turbine hub labyrinth seal; 
(4) Failure of vortex control paddle or its torque pin on 
shaft-end; and (5) Hot-gas leakage past Kaiser cap to 
turbine bearing carrier interface due to static seal failure; 
thermal shield failure, nut failure, or Kaiser cap failure. 


Possible effects : (1) Bearings overheat and fail, causing rubbing, increased 

vibration and possible turbine blade failure or 
disintegration of rotating assembly. 

Available sensors : (1) HPOTP turbine radial accelerometer, (2) HPOTP turbine 

axial accelerometer, (3) HPOTP turbine discharge 
temperature, (4) HPOTP turbine discharge pressure, (5) 
HPOTP primary seal drain pressure, and (6) HPOTP primary 
seal drain temperature. 


Test correlation with failure mode : 901-364, 902-209, 750-165 


Rank No.: 42 

Component: High Pressure Fuel Turbopump 

Failure Mode: Loss of Coolant Flow to Turbine Discs 
Line Replaceable Unit - Failure Mode No.: B200-17 


Possible causes : 


Possible 

effects: 

Available 

_ sensory 


(1) Lift-off sealing binding/closure; (2) Coolant flow 
passage blockage; (3) Failure of turbine hub labyrinth seal; 
(4) Failure of vortex control paddle or its torque pin on 
shaft-end; and (5) Failure of interstage seal. 

(1) Loss of coolant to one side of disc can allow disc 
deflection and platform seal rubbing; and (2) Excessive 
coolant loss can allow turbine first-stage or second-stage 
disc to overheat and burst. 

(1) HPOTP turbine radial accelerometer, (2) HPOTP turbine 
axial accelerometer, (3) HPOTP turbine discharge 
temperature, (4) HPOTP turbine discharge pressure, (5) 
HPOTP primary seal drain pressure, and (6) HPOTP primary 
seal drain temperature. 


Test correlation with failure mode : 901-364, 902-209, 750-165 
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Rank No.: 43 

Component: High Pressure Oxidizer Turbopump 

Failure Mpde: Loss of Coolant to Bearings 

Line Replaceable Unit - Failure Mode No.: B400-18 



(1) Blockage of turbine and bearing coolant circuits; and 

(2) leakage past aft prcbumer pump pressure - assisted 
seal. 



(1) Bearings degrade causing rubbing and disintegration of 
rotating components. 

(1) HPOTP turbine radial accelerometer, (2) HPOTP turbine 
axial accelerometer, (3) HPOT shaft speed, (4) HPOTP turbine 
discharge pressure, (5) HPOTP turbine discharge 
temperature, (6) HPOTP turbine seal cavity pressure, and 
(7) HPOTP primary seal drain pressure. 


None 


Rank No.: 44 

Component: High Pressure Fuel Turbopump 

Failure Mode: Failure to Restrain Shaft Movement During Turbopump Startup 
Line Replaceable Unit - Failure Mode No.: B200-24 



(1) Failure of thrust - carrying ball bearing due to ball, 
cage, or race failure, corrosion or contamination; (2) 
Failure of thrust ball; and (3) Failure of shaft insert. 

(1) Excess shaft movement can result in rubbing of 
components causing turbopump performance degradation: 

(2) Controller senses decreased flow and increases fuel 
prebumer oxidizer flow; and (3) Increased turbine 
discharge temperature. 

(1) HPFTP turbine accelerometer, (2) HPFTP turbine 
discharge temperature, (3) HPFTP discharge pressure, (4) 
HPFTP shaft speed, (5) HPFTP housing strain, and (6) FPOV 
actuator position. 



None 
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Rank No.: 45 

Component: High Pressure Fuel Turbopump 

Failure Mode: Loss of Balancing Capability 

Line Replaceable Unit - Failure Mode No.: B200-23 


Possible causes: 


(1) High pressure orifice failure; and (2) Low pressure 
orifice failure. 


Possible effects: 


Available sensors: 


(1) Rubbing of turbine platform seals, and/or rubbing of 
third-stage impeller back shroud against low pressure 
orifice results in reduced turbopump performance, damage 
to rubbing parts, and reduced coolant flow to turbine, and 

(2) Possible pump inlet burst due to pressure surge. 


(1) HPFTP inlet temperature, (2) HPFTP inlet pressure, (3) 
HPFTP inlet HF pressure, (4) HPFTP turbine discharge 
temperature, (5) HPFTP discharge pressure. (6) HPFTP 
discharge HF pressure, (7) HPFTP shaft speed, and (8) HPFTP 
turbine accelerometers. 


Test correlation w ith failure mode: None 
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ATTACHMENT 4 


CHANGES IN INDIVIDUAL MEASUREMENTS FOR SELECTED 

DEGRADATIONS 
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ATTACHMENT 5 

SUMMARY OF EXPECTED PLUME CONTAMINANTS 


KEY TO ATTACHMENT 5 

Column 1 - SSME FMEA Failure Mode Designation 

Field 1 (1 digit) Component Type, example: B200-15 

A = COMBUSTION DEVICES 
B = TURBOMACHINERY 
C = PNEUMATICS 
D = PROPELLANT VALVES 
E = ACTUATORS 
F = CONTROLLER/FASCOS 
G = IGNITERS 

H - ELECTRICAL HARNESSES 
J * SENSORS/INSTRUMENTATION 
K = LINES AND DUCTS 
L = JOINTS 
M = GIMBAL 
N = ORIFICES 

Field 2 (3 digits) Specific Component Designation, example: B200-15 


Field 3 (2 digits) Failure Mode Designation, example: B200-15 

Column 2 - Specific Component (corresponds to field 2 of column 1) 

Column 3 - Reaction Time: imm(ediate) = 0-1 second 

sec(onds) = 1-60 seconds 
min(utes) = 1-60 minutes 

Column 4 - Cause or Effect of Failure Mode (null = effect) 

Column 5 - Component Within Assembly Expected to Contaminate Plume 
Column 6 - Material(s) Corresponding to Column 5 Component 
Column 7 - Composition of Materials in Column 6 (%wt) 
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SUMMARY OF PLUME CONTAMINANTS EXPECTED BASED ON SSNE FMEA 
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ATTACHMENT 6 

TREND ALGORITHM RESULTS - TEST 901-364 
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Figure A2 - Engine Oxicli/er Inlet Pressure 
Test 901-36T 
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f igure A7 - Heat Exchanger Interface Temp, Test 901-364 
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Figure A8 - FPOV Actuator Position, Test 901-364 






Figure A9 - OPOV Actuator Position, Test 901-364 





ATTACHMENT 7 

TREND ALGORITHM RESULTS - TEST 901-225 
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Figure B 1 1 - High Pressure Oxidizer Turbine Discharge Temperature 
Test 901-225 
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High Pressure Oxidizer Turbine Discharge Temperature 
Test 901-225 
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Figure B14 - Heat Exchanger Interface Pressure, 
Test 901-225 
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START TRANSIENT FLEETWIDE OPERATING ENVELOPES 
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ATTACHMENT 9 

START TRANSIENT ANOMALY INDICATIONS - TEST 902-132 
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Figure-2: HPFP Speed 
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TIME FROM ENGINE START, SECS 
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Figure-3: HPFP Discharge Temperature 
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TIME FROM ENGINE START, SECS 
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Figure-4: Low Pressure Fuel Turbine Inlet Pressure 
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Figure- 5: Facility Fuel Flowrate (CH-A) 
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Figure-6 : 


Facility Fuel Flowrate 


(CH-B) 
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Figure-8 : Fuel Preburner Chamber Pressure 
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Figure-9: HPFP Coolant Liner Pressure 
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Figure-10: HPFP Balance Cavity Pressure 
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Figure-11: Main Chamber Pressure 
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ATTACHMENT 10 

SSME FLIGHT AND FACILITY MEASUREMENTS 


KEY TO ATTACHMENT 10 


Column 1 - Parameter Identification Number 


Column 2 - Measurement System Identification Number 


FIELD NO. 1 (FIRST CHARACTER) FIELD NO. Z (SECOND * THIRO CHARACTERS) 


A - GROUNO TEST ARTICLE 
E - MAIN ENGINE 
F - FACILITY 
G - GSE 
T - ET 
V - ORBITER 


FIELD NO. 3 (FOURTH CHARACTER) 

C - CURRENT 

D - VIBRATION 

G - FORCE/STRESS/STRAiN 

H - POSITION 

K - STIMULUS 

M - MULTI- DATA 

P - PRESSURE 

Q - QUANTITY 

R - RATE 

T - TEMPERATURE 

V - VOLTAGE 
W - TIME 

X - OISCREET EVENT 

Y - ACOUSTICS 


07 - AEROOYNAMIC/THERMOOYNAMICS 

08 - STRUCTURAL DYNAMICS 

09 - THERMAL PROTECTION SYSTEM (TPS) 
35 - AFT FUSELAGE 

38 - PURGE AND VENT 
41 - MAIN PROPULSION 

48 - ET OTI 

49 - SSME GTI 
56 - HYDRAULIC 

79 - FLIGHT CONTROL 


FIELO NO, 4 (FIFTH THRU EIGHTH CHARACTER) 

0001 - 8999 OTI MEASUREMENTS 
9000 - 9999 OF I MEASUREMENTS 
0001 - 9999 GTi/OTI MEASUREMENTS 
(NUMBERED SEQUENTIALLY FOR FIELDS 
ONE AND TWO) 


FIELO NO. 5 (NINTH CHARACTER) 


! rnirrm 


ANALOG 

EVENT 

DIGITAL 

A 

i 

0 




HdiH 

■aMiaiiaawaaa i r ■ m m 1 1 1 1— — 

_ c_ _J 

X 

, 

Mumamiam iljw— — 




B 

ElU 1 MEGABIT TO SATS ! 

R j M 



K | K 



H | W 

i 

GROUND TEST HARDWIRE 1 




1 N 



1 

p 



FIELD NO. 6 (TENTH CHARACTER. IF USEO) 

•IDENTIFIES TWO ACQUISITION REQUIREMENTS FOR ONE TRANSDUCER/SIGNAL 
CONDITIONER. 

T IDENTIFIES A PCM MEASUREMENT THAT IS DECOMMUTATEO FOR RECORDING BY A 
SYSTEM OTHER THAN PCM. 


Column 3 - Measurement Units 
Column 4 - Name of Measurement 


ORIGINAL PA 
OF POOR QUALITY 
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SSME Flight Measurements (1 of 3) 


.. TITLES UTILITY 020289 Vd6.02 •• 

SSME EADS OATA FOR STS30R ME-1 60K8 ENGINE 2027 CONTROLLER F23 


FULL 

N> 

WE — 

DAT 1 : 

FLT029 .C13/G 



TEST 

NUMBER 

0290001 



TEST 

STANO - 

6 




CUTOFF 

TIME 

515.32 



NUMBER 

OF PIOS — 130 




FILE 

FORMAT 

0 




PID 



MSID 

UNITS 

TITLE 


TIME 




SECONDS 

TIME IN SECONDS 


4 



E41M1005P* 


HARO FAIL ID 

ME-1 

5 



E41M1078P 


HARO FAIL TST N01 

ME— 1 

6 



E41M1079P 


HARO FAIL TST N02 

ME-1 

7 



E41M1080P 


HARO FAIL TST N03 

ME-1 

8 



E41U1095O 

UNITS 

MIX RATIO . 

ME-1 

12 



E41T1020O 

OEGR 

PBP OS TMP AVG 

ME-1 

15 



E41T1019O 

DEGR 

W»FP IN TMP AVG 

MC-1 

17 



E41P1067O 

PS I A 

MCC CLNT OS PR A 

MC-1 

18 



E41T1070O 

OEGR 

MCC CLNT DS TMP 8 

ME-1 

21 



E41T1120D 

DEGR 

MCC OXID INJ TEMP 

MC-1 

24 



E41P1066D 

PS I A 

MCC HG INJ PR A 

MC-1 

30 



£41 R1 0730 

RPM 

'lpop SPEED b 

MC-1 

32 



E41R1072D 

RPM 

LPFP SPEED A 

ME-1 

34 



E41P1068D 

PSIA 

HX DS PR B 

ME-1 

36 



E41H1024O 

PCT 

MFV ACT POS A 

ME-1 

38 



E41H1025D 

PCT 

MOV ACT POS A 

ME-1 

40 



E41H1028O 

PCT 

OPOV ACT POS A 

ME-1 

42 



E41H1027D 

PCT 

FPOV ACT POS A 

ME-1 

45 



E41H1026O 

PCT 

CCV ACT POS A 

ME-1 

46 



E41H1062O 

PCT 

LOX BLD VLV POS 8 

ME-1 

47 



E41H1061D 

PCT 

FUEL BLD VLV POS 

ME-1 

48 



E41P1069O 

PSIA 

CON I NT PR A/B 

MC-1 

49 



E41T1071D 

OEGR 

CON I NT TMP A/B 

ME-1 

50 



E41V1074O 

VAC 

CON BUS 1 VOLTAGE 

ME-1 

51 



E41V1075O 

VAC 

CON BUS 2 VOLTAGE 

ME-1 

52 



£41 Pi 0290 

PSIA 

HPFP DS PR A 

ME-1 

53 



£41 PI 0080 

PSIA 

HPFP CLNT INK A 

MC-1 

54 



E41P1009D 

PSIA 

HPFP CLNT LNR 8 

MC-1 

56 



E41P1031D 

PSIA 

FPB PC A 

MC-1 

59 



£41 PI 0330 

PSIA 

PBP DS PR B 

ME-1 

63 



E41P1023D 

PSIA 

MCC PC AVG 

' MC-1 

78 



E41V1 1 180 

voc 

+36 OE VOLTAGE A 

ME-1 

79 



E41V11190 

voc 

+36 OE VOLTAGE B 

ME-1 

66 



E41P1018O 

PSIA 

HPFP IN PR AVG 

ME-1 

90 



E41P1030O 

PSIA 

HPOP OS PR A 

ME-1 

91 



E41P1051O 

PSIA 

HPOT S/C PR A 

ME-1 

92 



E41P1053O 

PSIA 

HPOT S/C PR B 

ME-1 

94 



E41T11250 

DEGR 

PBP PF 1W° B 

ME-1 

96 



E41R1022O 

cal/min 

LOX FLOW AVG 

ME-1 

100 



E41R1021O 

GALA* IN 

FUEL FLOW AVG 

ME-1 

104 



E41M1121P 


FASCOS STATUS WO 

ME-1 

129 



E41P1035D 

PSIA 

MCC PC A2 

ME-1 

130 



E41P1036O 

PSIA 

MCC PC A1 

ME-1 

131 



E41R1037D 

GALA* IN 

FUEL FLOW AVG 

ME-1 

132 



E41R 10380 

cala*in 

LOX FLOW AVG 

ME-1 

133 



E41R1050O 

gala*in 

FUEL FLOW A1 

ME-1 

136 



E41H1040O 

PCT 

MFV ACT POS A 

ME-1 

137 



E41H1084O 

PCT 

MFV ACT POS B (R 

ME-1 

138 



E41H1041O 

PCT 

MOV ACT POS A 

ME-1 
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SSME Flight Measurements (2 of 3) 


139 

E41H-1083O 

PCT 

MOV ACT POS 8 (R 

ME— 1 

140 

E41H1044O 

PCT 

OPOV ACT POS A 

ME— 1 

141 

£4 IH 10880 

PCT 

OPOV ACT POS B (R 

ME— 1 

142 

E41H1043O 

PCT 

FPOV ACT POS A 

ME— 1 

143 

E41H1087D 

PCT 

FPOV ACT POS B (R 

ME— 1 

145 

E41H1042O 

PCT 

CCV ACT POS A 

ME— 1 

146 

E41H1086O 

PCT 

CCV ACT POS 8 (R 

ME-1 

147 

E41P1048O 

PSIA 

HYD SYS PR B 

ME— 1 

148 

£41 PI I860 

PSIA 

FPB PRO PR A 

ME-1 

149 

£41 PI 0590 

PSIA 

OPS PRC PR 8 

ME-1 

152 

E41P104S0 

PSIA 

HP FP OS PR A . 

ME-1 

154 

E41M1097P 


DST REC 2A 

ME-1 

155 

E41M1099P 


DST REG 28 

ME-1 

156 

E41M1096P 


OST REG 1A 

ME-1 

157 

E41M1098P 


OST REG 18 

ME-1 

158 

E41P1047O 

PSIA 

FPB PC A 

ME-1 

159 

E41P1049O 

PSIA 

PSP OS PR 8 

ME-1 

161 

E41P11240 

PSIA 

MCC PC 82 

ME-1 

162 

£41 PI 0520 

PSIA 

MCC PC B1 

ME-1 

163 

E41P1039O 

PSIA 

MCC PC AVG 

ME-1 

171 

E41H1 1170 

PCT 

OPOV CUD LIMIT 

ME-1 

172 

£41 HI 0800 

PCT 

MFV C0M4AN0 

ME-1 

173 

E41H11130 

PCT 

MOV C0M4AN0 

ME-1 

174 

E41H1 1140 

PCT 

CCV C0M4AN0 

ME-1 

175 

E41H11150 

PCT 

FPOV CCM4AN0 

ME-1 

176 

£41 H1 1160 

PCT 

OPOV COMMAND 

ME-1 

190 

E41P1046O 

PSIA 

HPOP OS PR A 

ME-1 

200 

E41P1016O 

PSIA 

MCC PC A AVG 

ME-1 

201 

E41P1017D 

PSIA 

MCC PC 8 AVG 

ME-1 

203 

£41 PI 09 2D 

PSIA 

HPFP INLET PR A 

ME-1 

204 

£41 P1 1270 

PSIA 

hpfp Inlet pr b 

ME-1 

209 

E41P16640 

PSIA 

HPOP INLET PR A 

ME-1 

210 

£41 PI 0630 

PSIA 

HPOP INLET PR 8 

ME-1 

211 

E41P1014O 

PSIA 

HPOP ISP PR A 

ME-1 

212 

E41P1015O 

PSIA 

HPOP ISP PR B 

ME-1 

214 

E41P1054O 

PSIA 

HYD SYS PR 8 

ME-1 

219 

E41P1057O 

PSIA 

FUEL PRC PR A 

ME-1 

220 

£41 PI 0580 

PSIA 

FUEL PRG PR 8 

ME-1 

221 

E41P1055D 

PSIA 

POGO PRCHC PR A 

ME-1 

222 

E41P1056O 

PSIA 

POGO PRCHC PR B 

ME-1 

223 

E41P1 1070 

PSIA 

EM SHTDN PR A 

ME-1 

224 

£41 P1 1080 

PSIA 

EM SHTDN PR B 

ME-1 

225 

E41T1093D 

OEGR 

HPFP INLET TUP A 

ME-1 

226 

E41T1128D 

OEGR 

HPFP INLET TUP B 

ME-1 

231 

E41T1010O 

OEGR 

HP FT OS TVP A 

ME-1 

232 

E41T101 10 

OEGR 

HP FT OS TV* B 

ME-1 

233 

E41T1012D 

OEGR 

HPOT OS TUP A 

ME-1 

234 

E41T1013D 

OEGR 

HPOT OS TOP B 

ME-1 

237 

E41T1111D 

OEGR 

MFV HYD T10> A 

ME-1 

238 

E41T1112D 

OEGR 

MFV HYD TMP B 

ME-1 

239 

E41T1109O 

OEGR 

MOV HYD TVP A 

ME-1 

240 

E41T1 1 100 

OEGR 

MOV HYD TMP 8 

ME-1 

251 

E41R1102D 

GAL/UIN 

FUEL FLOW A2 

ME-1 

253 

£4191 1030 

GAL/MI N 

FUEL FLOS 82 

ME-1 

258 

£41 R1 0340 

GAL/M IN 

FUEL FLOP A1 

ME-1 

260 

E41R10O6O 

R PM 

HPFP SPEED A 

ME-1 

261 

E41R1007D 

RPM 

HPFP SPEED 8 

ME-1 

264 

E41M1082D 

NO 

HARD FAIL PARVAL2 

ME-1 

265 

E41M1083D 

NO 

HARO FAIL PARVAL3 

ME-1 

266 

E41H1063D 

PCT 

POGO RIV POS A 

ME-1 

267 

E41R1 1 230 

IBM/S 

FUEL MASS FLOW 

ME-1 

268 

£41 H1 1040 

PCT 

AFV POS A 

ME-1 

269 

E41H1 105D 

PCT 

AFV POS 0 

ME-1 



SSME Flight Measurements (3 of 3) 


270 

£4101 1220 

LBM/FT3 

FUEL OENSITY 

ME— 1 

271 

£4101 1010 

WITS 

CALCULATED KF 

ME— 1 

272 

E41R1 1260 

LfiM/S 

LOX MASS FLOW (SO 

ME— 1 

273 

£41011000 

UNITS 

CALC C2 

ME-1 

280 

E41M1076D 

NO 

VEH CMO 1 

ME— 1 

281 

E41M1 0770 

NO 

VEH CMD 2 

ME-1 

286 

E41W1004O 

S 

TIME REFERENCE 

ME-1 

287 

E41P1 0940 

PS I A 

PC CNTL REF 

ME-1 

288 

£41 J 10900 

NO 

INHIBIT COUNT 

ME-1 

289 

E41J1091O 

NO 

FID COUNT 

ME-1 

291 

E41M1001P* 


ID WORD 1 

ME-1 

292 

E41M1002P* 


ID WORD 2 

ME-1 

293 

E41M1003P* 


ENGINE STATUS WO 

ME-1 

294 

E41M1081O 

NO 

HARO FAIL PARVAL1 

ME-1 

301 

£41 R1 0890 

GAU/\IIN 

FUEL FLOW 81 

ME-1 

7516 

E41U1032D 

PCT 

SPARE 

ME-1 
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SSME Facility Measurements (1 of 2) 


•• TITLES 

UTILITY 020289 

Vd6 . 02 •• 

SSME EAOS 

DATA FOR STS30R 

ME-1 OD 

FULL NAME 

r>ATi-riTA9<J F13/G 



TEST NUMBER 0290001 

TEST STANO 6 

CUTOFF TIME 515.32 


NUM8ER OF 

PIDS — 60 


FILE FORMAT 0 

PID US ID 

WITS 

TIME 


SECONOS 

553 

E41T1153A 

DEGF 

554 

E41T11S4A 

DEGF 

821 

V41P11BBC 

PSIA 

835 

V41P11MA 

PSIA 

858 

V41P1130C 

PSIA 

879 

V41T1171A 

DEGF 

937 

V41P1154A 

PSIA 

938 

V41P1153A 

PSIA 

1021 

V41T1191C 

DEGF 

1035 

V41T1161A 

DEGF 

1058 

V41T1131C 

DEGF 

1145 

V58T1 131 A 

DEGF 

1147 

V58T1130A 

DEGF 

1420 

E41T1155A 

DEGF 

1421 

E41T1156A 

DEGF 

1552 

V58H1100A 

DEG 

1558 

V58H1150A 

DEG 

1895 

E41T1 152A 

DEGF 

1890 

E41T1151A 

DEGF 

1912 

E41T1150A 

DEGF 

7001 

V41X1109E 

EVENT 

7002 

V41X1110E 

EVENT 

7003 

V41X1661E 

EVENT 

7004 

V41X1S96E 

EVENT 

7005 

V41X1105E 

EVENT 

7000 

V41X1135E 

EVENT 

7007 

V41X1614C 

EVENT 

7010 

V41X1104X 

EVENT 

7011 

V41X1134X 

EVENT 

7021 

V41R1115A 

RPM 

7023 

V41P1490A 

PSIA 

7024 

V41P1590A 

PSIA 

7027 

V41P1600A 

PSIA 

7028 

V41P1605A 

PSIA 

7029 

V41P1650A 

PSIA 

7031 

V41P1150C 

PSIA 

7033 

V58P0137A 

PSIA 

7035 

V95U0163C 

FT/S2 

7041 

V41P1564A 

PSID 

7042 

V41P1464A 

PSID 

7043 

V41P1433C 

PSIA 

7044 

V41P1533C 

PSIA 

7045 

V41T1428A 

DEGF 

7046 

V41T1527A 

OEGF 

7047 

V41T1528A 

DEGF 

7051 

V41T1151A 

DEGF 

7052 

V41T1152A 

DEGF 

7053 

V41T1601A 

OEGF 

7055 

V09T1702A 

DEGF 


ENGINE 2027 CONTROLLER F23 


TITLE 

TIME IN SECONDS 
MFV DS SKIN TEMP 1 ME-1 
MFV DS SKIN TEMP 1 ME-1 
ENG FL IN PR 1 ME-1 
FL PRESS I NT PR ME-1 
ENG OX IN PR 1 ME-1 
GOX PRESS OUT .T ME-1 
HELIUM REGA OUT PR ME-1 
HELIUM REG8 OUT PR ME-1 
ENG FL IN T ME-1 

GHZ PRESS I NT T ME-1 

ENG OX IN T ME-1 

HYD SYS IF RT LN T ME-1 
HYD SYS IF PR LN T ME-1 
AFV DS SKIN TEMP 1 ME-1 
AFV OS SKIN TEMP 2 ME-1 
GIM ACT Y POS ME-1 

GIM ACT Z POS ME-1 

OPOV GOX S L SK T2 ME-1 
OPOV GOX S L SK T1 ME-1 
CONTROLLER PS TEMP ME-1 
LH2 RECRC VLV OPEN ME-1 
LH2 RECRC VLV CLOS ME-1 
CH2 PRESS 1 ON/OFF ME-1 
G02 PRESS 1 ON/OFF ME-1 
LH2 PREVALV CLOSED ME-1 
LOX PREVALV CLOSED ME-1 
PNEU CROSSOVR OPEN 
LH2 PREVALVE OPEN ME-1 
LOX PREVALVE OPEN ME-1 
LH2 RECIRC PUMP S ME-1 
GH2 DISCONNECT PR 
GOX DISCONNECT PR 
PNEU VLV HE SUPPLY 
PNEU VLV HE RG OUT 
PNEU AC CUM PRESS 
HE SUPPLY BOTL PR ME-1 
HYD SYS CRC PUP PR ME-1 
TOTAL LOAD FACTOR 
LH2 SYS DELTA P 
LOX SYS DELTA P 
LH2 MANIFOLD PR 
LOX MANIFOLD PR 
LH2 MANIFOLD T 
LOX MANIFOLD T A 
LOX MANIFOLD T B 
AFT FSLG HE SPLY T ME-1 
MID FSLG HE SPLY T ME-1 
PNEU VLV HE SUP T 
AFT FSLG FLR BTM T 
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SSME Facility Measurements (2 of 2) 


7056 

V09T1720A 

DEGF 

7057 

V09T1724A 

DEGF 

7060 

V58T2140A 

DEGF 

7061 

V58T0183A 

DEGF 

7065 

V58P0114C 

PSIA 

7066 

V58P0116C 

PSIA 

7070 

V58P0616A 

PSIA 

7075 

V58P0115A 

PSIA 

7091 

T41T1705A 

DEGF 

7092 

T41T1755A 

DEGF 

7093 

T41P1700C 

PSIA 

7094 

T41P1701C 

PSIA 

7095 

T41P1702C 

PSIA 

7096 

T41P1750C 

PSIC 

7097 

T41P1751C 

PSIC 

7098 

T41P1752C 

PSIG 


RH AFT FSLG SIDE T 
LH AFT FSLG SIDE T 
H ACCUM SYS RTN i ME-1 
HYD LOX ET R ACT T ME-1 
HYD SYS SUP PR A ME-1 
HYD SYS SUP PR C 
HYD ACM SYS RTN PR 
HYD SYS SUP PR 8 
LK2 ULLAGE TEMP 
102 ULLAGE TEMP 
LH2 ULLAGE PRES 1 
LH2 ULLAGE PRES 2 
LH2 ULLAGE PRES 3 
L02 ULLAGE -PRES 1 
102 ULLAGE PRES 2 
L02 ULLAGE PRES 3 
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ATTACHMENT 11 

PRELIMINARY SAFD HARDWARE DESCRIPTION 
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PRELIMINARY SAFD HARDWARE DEFINITION 


The preliminary SAFD hardware configuration consists of eight major 
subassemblies: 1) interface panel, 2) control panel, 3) mass data storage 
system, 4) time code generator, 5) optic isolation system, 6) command 
processor, 7) performance monitor channels interface (PMCI), and 
8) uninteruptable power supply. Preliminary information on each major 
subassembly is provided in the following sections. 

1. Interface Panel. The preliminary layout of the interface panel consists of 
five main areas. The first area is the power interface, which includes the main 
AC power input, circuit breaker, facility power I/O, and auxiliary power output. 
The second area of the interface panel is the analog input interface. The third 
area of the interface panel is the PMCI interface, which includes the receiver 
inputs, transmit outputs, and vehicle data table (VDT) outputs. The forth area of 
the interface panel is the facility clock interface. The fifth area of the interface 
panel is the peripheral interface, which includes the printer, monitor, mass 
storage, keyboard, mouse, and modem inputs and outputs. 


2. Control Panel. The preliminary layout of the control panel consists of three 
main areas: Power Status, Algorithm Status, and Algorithm Response. 


3. Mass Data Storage System. Hard disk drives contain the operating 
system files, algorithm files, and the SAFD data generated by the command 
processor during SSME hot-fire testing. Floppy disk drives are available for 
loading and unloading data and files. A tape system is available to backup the 
hard disk drives. Specific details of each data storage device have not yet been 
defined. 


4. Time Code Generator. In normal operation, the time code generator 
receives the facility IRIG-B signal. This signal is passed to the command 
processor where it is used to time stamp the VDT and analog data. If the IRIG-B 
signal is unavailable, the time code generator independently issues a time 
stamp signal. 


5. Optic isolation System. The optical isolator isolates the SAFD system 
from facility electrical signals that potentially could damage the command 
processor. 
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6 Command Processor. The command processor is the heart of the SAFD 
system It contains the controller cards for all if the peripherals, the analog to 
diqital converter card(s), and the central processing unit(s) which process the 
enqine and facility data and issues commands. The A/D converters will accept 
64 single ended or 32 differential -5 to +5 volt discrete analog signals. 


Several candidate systems are being evaluated. The leading candidates are 
shown in Table A1 1 -1 . 


7 Performance Monitor Channet Interface. The PMCI acts as a front 
end processor for the SSME Vehicle Data Tables (VDT). The main function of 
the PMCI is to convert the SSME Channel A and B VDT serial inputs to parallel 
outputs. After the 1 28 words have been converted to parallel data they are 
buffered onto the command processor. 

The VDT is obtained by inserting coaxial "Ts" into the data lines between the 
VEEI buffer (located on the test stand) and the CADS (located in the block 
house). The transmit cards in the PMCI are used to perform PMCI loop back 
tests. This is done by disconnecting the SSME VDT receiver input cables from 
the SAFD and installing short coaxial connectors between the transmit outputs 
and receiver inputs. 

The receiver inputs receive the 128 word SSME Channel A and B Vehicle Data 
Table's every 40 ms. 


8. Uninteruptable Power Supply. The SAFD power (117 volts, 30 amps 
maximum) is provided by the facility through the UPS. The UPS will supp y 
approximately 1 5 seconds of reserve power incase the facility power fails. This 
allows for safe system shutdown by the SAFD operator. 
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TABLE A11-1 SAFD CANDIDATE HARDWARE* FEATURES 


IHHi 

[ugnmni 

mm 

IBB!! 

VAX 3500 

MfcroVAX 3800 

CPU 

80386 

68030 

SPARC 

KA650 


CPU MIPS 

7.5 

7.0 

16.0 

2.7 

3.8 

BUS TYPE 

multibus-ll 

VME 

VME 

Q 

Q 

BUS THROUGHPUT 
(Mbyte/sec) 

40.0 

3.0 

2.7 

3.3 

3.3 

MULTI-TASKING 

yes 

yes 

yes 

yes 

yes 

MULTI-PROCESSING 

yes 

yes 

yes 

no 

no 

OPERATING SYS. 

RMX-3 

UNX 

UNIX 

VMX 

VMX 

A/D THROUGHPUT 
(KHz) 

100 

100 

100 

200 

200 

A/D RESOLUTION 
(bits) 

12 

12 or 16 

12 or 16 

12 

12 

VDT THROUGHPUT 
(Mbyte/sec) 


>5 

>5 

2.6 

2.6 
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